diff --git a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch new file mode 100644 index 0000000..bf2078a --- /dev/null +++ b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch @@ -0,0 +1,103 @@ + +# HG changeset patch +# User Todd C. Miller +# Date 1544201494 25200 +# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5 +# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce +The fix for bug #843 was incomplete and caused pam_end() to be called early. +sudo_pam_approval() must not set the global pam status to an error +value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup() +will call pam_end() before sudo_pam_begin_session(). This resulted +in a NULL PAM handle being used in sudo_pam_begin_session(). + +diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c +--- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700 ++++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700 +@@ -210,59 +210,68 @@ + sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; ++ int rc, status = AUTH_SUCCESS; + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (*pam_status) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { + case PAM_SUCCESS: +- debug_return_int(AUTH_SUCCESS); ++ break; + case PAM_AUTH_ERR: + log_warningx(0, N_("account validation failure, " + "is your account locked?")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_NEW_AUTHTOK_REQD: + /* Ignore if user is exempt from password restrictions. */ + if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ break; + /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); +- *pam_status = pam_chauthtok(pamh, +- PAM_CHANGE_EXPIRED_AUTHTOK); +- if (*pam_status == PAM_SUCCESS) +- debug_return_int(AUTH_SUCCESS); +- if ((s = pam_strerror(pamh, *pam_status)) == NULL) ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) + s = "unknown error"; + log_warningx(0, + N_("unable to change expired password: %s"), s); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + case PAM_AUTHTOK_EXPIRED: + /* Ignore if user is exempt from password restrictions. */ + if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ break; + /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_ACCT_EXPIRED: + log_warningx(0, + N_("Account expired or PAM config lacks an \"account\" " + "section for sudo, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_AUTHINFO_UNAVAIL: + case PAM_MAXTRIES: + case PAM_PERM_DENIED: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + default: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + } ++ /* Ignore errors if user is exempt from password restrictions. */ ++ *pam_status = exempt ? PAM_SUCCESS : rc; ++ debug_return_int(status); + } + + int + diff --git a/SOURCES/sudo-1.8.23-who-am-i.patch b/SOURCES/sudo-1.8.23-who-am-i.patch new file mode 100644 index 0000000..2be1c3c --- /dev/null +++ b/SOURCES/sudo-1.8.23-who-am-i.patch @@ -0,0 +1,56 @@ +commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5 +Author: Todd C. Miller +Date: Wed Jan 2 07:39:33 2019 -0700 + + Fix setting of utmp entry when running command in a pty. + Regression introduced in sudo 1.8.22. + +diff --git a/src/exec_pty.c b/src/exec_pty.c +index cbcccca3..68312a98 100644 +--- a/src/exec_pty.c ++++ b/src/exec_pty.c +@@ -140,7 +140,7 @@ pty_cleanup(void) + * and slavename globals. + */ + static bool +-pty_setup(uid_t uid, const char *tty) ++pty_setup(struct command_details *details, const char *tty) + { + debug_decl(pty_setup, SUDO_DEBUG_EXEC); + +@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty) + } + + if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE], +- slavename, sizeof(slavename), uid)) ++ slavename, sizeof(slavename), details->euid)) + sudo_fatal(U_("unable to allocate pty")); + + /* Add entry to utmp/utmpx? */ +- if (utmp_user != NULL) ++ if (ISSET(details->flags, CD_SET_UTMP)) { ++ utmp_user = ++ details->utmp_user ? details->utmp_user : user_details.username; + utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user); ++ } + + sudo_debug_printf(SUDO_DEBUG_INFO, + "%s: %s fd %d, pty master fd %d, pty slave fd %d", +@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat) + /* + * Allocate a pty. + */ +- if (pty_setup(details->euid, user_details.tty)) { +- if (ISSET(details->flags, CD_SET_UTMP)) +- utmp_user = details->utmp_user ? details->utmp_user : user_details.username; +- } else if (TAILQ_EMPTY(&io_plugins)) { +- /* Not logging I/O and didn't allocate a pty. */ +- debug_return_bool(false); ++ if (!pty_setup(details, user_details.tty)) { ++ if (TAILQ_EMPTY(&io_plugins)) { ++ /* Not logging I/O and didn't allocate a pty. */ ++ debug_return_bool(false); ++ } + } + + /* diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 2dd0195..3c32c1b 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.23 -Release: 3%{?dist} +Release: 4%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -50,7 +50,13 @@ Patch7: sudo-1.8.23-nowaitopt.patch # bz in RHEL. The feature itself was delivered via the rebase to 1.8.23. Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch # 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version -Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch +Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch + +# 1672876 - Backporting sudo bug with expired passwords +Patch10: sudo-1.8.23-pam-expired-passwords.patch +# 1665285 - Problem with sudo-1.8.23 and 'who am i' +Patch11: sudo-1.8.23-who-am-i.patch + %description Sudo (superuser do) allows a system administrator to give certain @@ -85,6 +91,9 @@ plugins that use %{name}. %patch8 -p1 -b .pam-mgmt-ignore-errors %patch9 -p1 -b .defaults-double-quote-fix +%patch10 -p1 -b .pam-expired +%patch11 -p1 -b .who-am-i + %build autoreconf -I m4 -fv --install @@ -222,6 +231,12 @@ rm -rf %{buildroot} %{_mandir}/man8/sudo_plugin.8* %changelog + +* Wed Feb 20 2019 Radovan Sroka 1.8.23-4 +- RHEL-7.7 erratum + Resolves: rhbz#1672876 - Backporting sudo bug with expired passwords + Resolves: rhbz#1665285 - Problem with sudo-1.8.23 and 'who am i' + * Mon Sep 24 2018 Daniel Kopecek 1.8.23-3 - RHEL-7.6 erratum Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version @@ -318,11 +333,11 @@ rm -rf %{buildroot} * Wed Mar 08 2017 Tomas Sykora - 1.8.19p2-2 - RHEL 7.4 erratum -- Fixes coverity scan issues created by our patches: +- Fixes coverity scan issues created by our patches: - fixed resource leaks and a compiler warning in digest backport patch - removed needless code from cmnd_no_wait patch causing clang warning - format of the last changelog message causes problems to rhpkg push, - so don't use that as a commit message + so don't use that as a commit message Resolves: rhbz#1360687 * Wed Mar 01 2017 Tomas Sykora - 1.8.19p2-1 @@ -331,7 +346,7 @@ rm -rf %{buildroot} - Resolves: rhbz#1123526 - performance improvement - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale - - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command + - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command was runnable even if denied by sudoers when using LDAP or SSSD backend. - Resolves: rhbz#1387303 - add ignore_iolog_errors option - Resolves: rhbz#1389360 - wrong log file group ownership @@ -538,7 +553,7 @@ rm -rf %{buildroot} * Thu May 17 2012 Daniel Kopecek - 1.8.5-1 - update to 1.8.5 - fixed CVE-2012-2337 -- temporarily disabled SSSD support +- temporarily disabled SSSD support * Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 - fixed problems with undefined symbols (rhbz#798517) @@ -557,7 +572,7 @@ rm -rf %{buildroot} * Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 - update to 1.8.3p1 -- disable output word wrapping if the output is piped +- disable output word wrapping if the output is piped * Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 - Remove execute bit from sample script in docs so we don't pull in perl @@ -692,7 +707,7 @@ rm -rf %{buildroot} - sparc64 needs to be in the -fPIE list with s390 * Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 -- fix complains about audit_log_user_command(): Connection +- fix complains about audit_log_user_command(): Connection refused (#401201) * Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 @@ -794,7 +809,7 @@ rm -rf %{buildroot} - rebuild * Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 -- added missing BuildRequires for libselinux-devel (#132883) +- added missing BuildRequires for libselinux-devel (#132883) * Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 - Fix missing param error in sesh @@ -821,7 +836,7 @@ rm -rf %{buildroot} exec of child with SELinux patch * Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 -- change to default to sysadm_r +- change to default to sysadm_r - Fix tty handling * Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 @@ -829,7 +844,7 @@ rm -rf %{buildroot} - replace /bin/bash -c with /bin/sesh * Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 -- Hard code to use "/bin/bash -c" for selinux +- Hard code to use "/bin/bash -c" for selinux * Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 - Eliminate closing and reopening of terminals, to match su. @@ -854,7 +869,7 @@ rm -rf %{buildroot} - Fix is_selinux_enabled call * Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 -- Clean up patch on failure +- Clean up patch on failure * Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 - Remove sudo.te for now. @@ -977,7 +992,7 @@ rm -rf %{buildroot} - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) * Thu Oct 08 1998 Michael Maher -- built package for 5.2 +- built package for 5.2 * Mon May 18 1998 Michael Maher - updated SPEC file @@ -989,10 +1004,9 @@ rm -rf %{buildroot} - built for glibc, no problems * Fri Apr 25 1997 Michael Fulbright -- Fixed for 4.2 PowerTools +- Fixed for 4.2 PowerTools - Still need to be pamified - Still need to move stmp file to /var/log * Mon Feb 17 1997 Michael Fulbright - First version for PowerCD. -