diff --git a/.gitignore b/.gitignore index 9e53a0f..766ab1a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/sudo-1.8.25p1.tar.gz +SOURCES/sudo-1.8.29.tar.gz diff --git a/.sudo.metadata b/.sudo.metadata index a9c3233..5f0f2dc 100644 --- a/.sudo.metadata +++ b/.sudo.metadata @@ -1 +1 @@ -dc49b91ffbd9cd5e1d1eaaf001c42f71f869f377 SOURCES/sudo-1.8.25p1.tar.gz +fdce342856f1803478eb549479190370001dca95 SOURCES/sudo-1.8.29.tar.gz diff --git a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch deleted file mode 100644 index 25bbfe9..0000000 --- a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch +++ /dev/null @@ -1,70 +0,0 @@ -diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok ---- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200 -+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200 -@@ -34,7 +34,7 @@ - }, - { - "Binding": [ -- { "username": "%them" } -+ { "usergroup": "them" } - ], - "Options": [ - { "set_home": true } -@@ -42,7 +42,7 @@ - }, - { - "Binding": [ -- { "username": "%: non UNIX 0 c" } -+ { "nonunixgroup": " non UNIX 0 c" } - ], - "Options": [ - { "set_home": true } -@@ -50,7 +50,7 @@ - }, - { - "Binding": [ -- { "username": "+net" } -+ { "netgroup": "net" } - ], - "Options": [ - { "set_home": true } -diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok ---- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200 -+++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200 -@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO - # - DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR - DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR --DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR --DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR --DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR -+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR -+DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR -+DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR - - # - DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR -diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c ---- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 -+++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200 -@@ -2395,7 +2395,7 @@ YY_RULE_SETUP - LEXTRACE("ERROR "); /* empty string */ - LEXRETURN(ERROR); - } -- if (prev_state == INITIAL) { -+ if (prev_state == INITIAL || prev_state == GOTDEFS) { - switch (sudoerslval.string[0]) { - case '%': - if (sudoerslval.string[1] == '\0' || -diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l ---- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 -+++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200 -@@ -187,7 +187,7 @@ DEFVAR [a-z_]+ - LEXTRACE("ERROR "); /* empty string */ - LEXRETURN(ERROR); - } -- if (prev_state == INITIAL) { -+ if (prev_state == INITIAL || prev_state == GOTDEFS) { - switch (sudoerslval.string[0]) { - case '%': - if (sudoerslval.string[1] == '\0' || diff --git a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch deleted file mode 100644 index 9698d23..0000000 --- a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c ---- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200 -+++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200 -@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p - if (ldap_conf.search_filter) - sz += strlen(ldap_conf.search_filter); - -- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ -- sz += 29 + sudo_ldap_value_len(pw->pw_name); -+ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */ -+ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name); - - /* Add space for primary and supplementary groups and gids */ - if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { -@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p - CHECK_LDAP_VCAT(buf, pw->pw_name, sz); - CHECK_STRLCAT(buf, ")", sz); - -+ /* Append user uid */ -+ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid); -+ (void) strlcat(buf, "(sudoUser=#", sz); -+ (void) strlcat(buf, gidbuf, sz); -+ (void) strlcat(buf, ")", sz); -+ - /* Append primary group and gid */ - if (grp != NULL) { - CHECK_STRLCAT(buf, "(sudoUser=%", sz); diff --git a/SOURCES/sudo-1.8.23-legacy-group-processing.patch b/SOURCES/sudo-1.8.23-legacy-group-processing.patch index 8cb6a8f..aee16eb 100644 --- a/SOURCES/sudo-1.8.23-legacy-group-processing.patch +++ b/SOURCES/sudo-1.8.23-legacy-group-processing.patch @@ -1,7 +1,7 @@ diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvtsudoers.c ---- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2018-09-26 12:27:13.087680204 +0200 -+++ ./plugins/sudoers/cvtsudoers.c 2018-09-26 12:30:59.222466620 +0200 -@@ -321,6 +321,15 @@ main(int argc, char *argv[]) +--- ./plugins/sudoers/cvtsudoers.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100 ++++ ./plugins/sudoers/cvtsudoers.c 2019-10-30 13:32:43.309480623 +0100 +@@ -347,6 +347,15 @@ main(int argc, char *argv[]) sudo_fatalx("error: unhandled input %d", input_format); } @@ -18,9 +18,9 @@ diff -up ./plugins/sudoers/cvtsudoers.c.legacy-processing ./plugins/sudoers/cvts filter_userspecs(&parsed_policy, conf); filter_defaults(&parsed_policy, conf); diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaults.c ---- ./plugins/sudoers/defaults.c.legacy-processing 2018-09-02 14:30:08.000000000 +0200 -+++ ./plugins/sudoers/defaults.c 2018-09-26 12:27:13.087680204 +0200 -@@ -86,6 +86,7 @@ static struct early_default early_defaul +--- ./plugins/sudoers/defaults.c.legacy-processing 2019-10-28 13:28:52.000000000 +0100 ++++ ./plugins/sudoers/defaults.c 2019-10-30 13:32:43.309480623 +0100 +@@ -93,6 +93,7 @@ static struct early_default early_defaul { I_FQDN }, #endif { I_MATCH_GROUP_BY_GID }, @@ -28,7 +28,7 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul { I_GROUP_PLUGIN }, { I_RUNAS_DEFAULT }, { I_SUDOERS_LOCALE }, -@@ -487,6 +488,8 @@ init_defaults(void) +@@ -494,6 +495,8 @@ init_defaults(void) } /* First initialize the flags. */ @@ -38,10 +38,10 @@ diff -up ./plugins/sudoers/defaults.c.legacy-processing ./plugins/sudoers/defaul def_long_otp_prompt = true; #endif diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_data.c ---- ./plugins/sudoers/def_data.c.legacy-processing 2018-08-18 16:10:15.000000000 +0200 -+++ ./plugins/sudoers/def_data.c 2018-09-26 12:27:13.087680204 +0200 -@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[] - N_("Ignore case when matching group names"), +--- ./plugins/sudoers/def_data.c.legacy-processing 2019-10-30 13:32:43.309480623 +0100 ++++ ./plugins/sudoers/def_data.c 2019-10-30 13:37:25.914602825 +0100 +@@ -506,6 +506,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Log when a command is denied by sudoers"), NULL, }, { + "legacy_group_processing", T_FLAG, @@ -52,31 +52,31 @@ diff -up ./plugins/sudoers/def_data.c.legacy-processing ./plugins/sudoers/def_da } }; diff -up ./plugins/sudoers/def_data.h.legacy-processing ./plugins/sudoers/def_data.h ---- ./plugins/sudoers/def_data.h.legacy-processing 2018-08-18 16:10:15.000000000 +0200 -+++ ./plugins/sudoers/def_data.h 2018-09-26 12:27:13.087680204 +0200 -@@ -226,6 +226,8 @@ - #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag) - #define I_CASE_INSENSITIVE_GROUP 113 - #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) -+#define I_LEGACY_GROUP_PROCESSING 114 +--- ./plugins/sudoers/def_data.h.legacy-processing 2019-10-30 13:32:43.310480638 +0100 ++++ ./plugins/sudoers/def_data.h 2019-10-30 13:40:59.651713757 +0100 +@@ -232,6 +232,8 @@ + #define def_log_allowed (sudo_defs_table[I_LOG_ALLOWED].sd_un.flag) + #define I_LOG_DENIED 116 + #define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag) ++#define I_LEGACY_GROUP_PROCESSING 117 +#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) enum def_tuple { never, diff -up ./plugins/sudoers/def_data.in.legacy-processing ./plugins/sudoers/def_data.in ---- ./plugins/sudoers/def_data.in.legacy-processing 2018-08-18 16:10:15.000000000 +0200 -+++ ./plugins/sudoers/def_data.in 2018-09-26 12:27:13.088680212 +0200 -@@ -357,3 +357,6 @@ case_insensitive_user - case_insensitive_group +--- ./plugins/sudoers/def_data.in.legacy-processing 2019-10-30 13:32:43.310480638 +0100 ++++ ./plugins/sudoers/def_data.in 2019-10-30 13:42:20.915896239 +0100 +@@ -366,3 +366,6 @@ log_allowed + log_denied T_FLAG - "Ignore case when matching group names" + "Log when a command is denied by sudoers" +legacy_group_processing + T_FLAG + "Don't pre-resolve all group names" diff -up ./plugins/sudoers/sudoers.c.legacy-processing ./plugins/sudoers/sudoers.c ---- ./plugins/sudoers/sudoers.c.legacy-processing 2018-08-18 16:10:25.000000000 +0200 -+++ ./plugins/sudoers/sudoers.c 2018-09-26 12:27:13.088680212 +0200 -@@ -212,6 +212,10 @@ sudoers_policy_init(void *info, char * c +--- ./plugins/sudoers/sudoers.c.legacy-processing 2019-10-28 13:28:53.000000000 +0100 ++++ ./plugins/sudoers/sudoers.c 2019-10-30 13:32:43.310480638 +0100 +@@ -221,6 +221,10 @@ sudoers_policy_init(void *info, char * c if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw)) ret = true; diff --git a/SOURCES/sudo-1.8.23-nowaitopt.patch b/SOURCES/sudo-1.8.23-nowaitopt.patch index 6406396..4c3c603 100644 --- a/SOURCES/sudo-1.8.23-nowaitopt.patch +++ b/SOURCES/sudo-1.8.23-nowaitopt.patch @@ -1,7 +1,7 @@ -diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c ---- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200 -+++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200 -@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[] +diff -up ./plugins/sudoers/def_data.c.nowait ./plugins/sudoers/def_data.c +--- ./plugins/sudoers/def_data.c.nowait 2019-10-30 13:43:48.376168944 +0100 ++++ ./plugins/sudoers/def_data.c 2019-10-30 13:43:48.378168973 +0100 +@@ -510,6 +510,10 @@ struct sudo_defs_types sudo_defs_table[] N_("Don't pre-resolve all group names"), NULL, }, { @@ -12,33 +12,32 @@ diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/su NULL, 0, NULL } }; -diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h ---- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200 -+++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200 -@@ -228,6 +228,8 @@ - #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) - #define I_LEGACY_GROUP_PROCESSING 114 +diff -up ./plugins/sudoers/def_data.h.nowait ./plugins/sudoers/def_data.h +--- ./plugins/sudoers/def_data.h.nowait 2019-10-30 13:43:48.378168973 +0100 ++++ ./plugins/sudoers/def_data.h 2019-10-30 13:45:38.425770365 +0100 +@@ -234,6 +234,8 @@ + #define def_log_denied (sudo_defs_table[I_LOG_DENIED].sd_un.flag) + #define I_LEGACY_GROUP_PROCESSING 117 #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) -+#define I_CMND_NO_WAIT 115 ++#define I_CMND_NO_WAIT 118 +#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) enum def_tuple { never, -diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in ---- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200 -+++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200 -@@ -360,3 +360,6 @@ case_insensitive_group +diff -up ./plugins/sudoers/def_data.in.nowait ./plugins/sudoers/def_data.in +--- ./plugins/sudoers/def_data.in.nowait 2019-10-30 13:43:48.376168944 +0100 ++++ ./plugins/sudoers/def_data.in 2019-10-30 13:43:48.379168987 +0100 +@@ -369,3 +369,6 @@ log_denied legacy_group_processing T_FLAG "Don't pre-resolve all group names" +cmnd_no_wait + T_FLAG + "Don't fork and wait for the command to finish, just exec it" -diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c -diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c ---- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200 -+++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200 -@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c +diff -up ./plugins/sudoers/sudoers.c.nowait ./plugins/sudoers/sudoers.c +--- ./plugins/sudoers/sudoers.c.nowait 2019-10-30 13:43:48.376168944 +0100 ++++ ./plugins/sudoers/sudoers.c 2019-10-30 13:43:48.379168987 +0100 +@@ -225,6 +225,20 @@ sudoers_policy_init(void *info, char * c def_match_group_by_gid = false; def_legacy_group_processing = false; } diff --git a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch b/SOURCES/sudo-1.8.23-pam-expired-passwords.patch deleted file mode 100644 index bf2078a..0000000 --- a/SOURCES/sudo-1.8.23-pam-expired-passwords.patch +++ /dev/null @@ -1,103 +0,0 @@ - -# HG changeset patch -# User Todd C. Miller -# Date 1544201494 25200 -# Node ID 656aa910fbaf0be517e012c9271c51eb85c1cca5 -# Parent ef83f35c9cb090a8b4fd36942f1e47e65c285dce -The fix for bug #843 was incomplete and caused pam_end() to be called early. -sudo_pam_approval() must not set the global pam status to an error -value if it returns AUTH_SUCCESS. Otherwise, sudo_pam_cleanup() -will call pam_end() before sudo_pam_begin_session(). This resulted -in a NULL PAM handle being used in sudo_pam_begin_session(). - -diff -r ef83f35c9cb0 -r 656aa910fbaf plugins/sudoers/auth/pam.c ---- a/plugins/sudoers/auth/pam.c Wed Dec 05 10:43:14 2018 -0700 -+++ b/plugins/sudoers/auth/pam.c Fri Dec 07 09:51:34 2018 -0700 -@@ -210,59 +210,68 @@ - sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) - { - const char *s; -+ int rc, status = AUTH_SUCCESS; - int *pam_status = (int *) auth->data; - debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) - -- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); -- switch (*pam_status) { -+ rc = pam_acct_mgmt(pamh, PAM_SILENT); -+ switch (rc) { - case PAM_SUCCESS: -- debug_return_int(AUTH_SUCCESS); -+ break; - case PAM_AUTH_ERR: - log_warningx(0, N_("account validation failure, " - "is your account locked?")); -- debug_return_int(AUTH_FATAL); -+ status = AUTH_FATAL; -+ break; - case PAM_NEW_AUTHTOK_REQD: - /* Ignore if user is exempt from password restrictions. */ - if (exempt) -- debug_return_int(AUTH_SUCCESS); -+ break; - /* New password required, try to change it. */ - log_warningx(0, N_("Account or password is " - "expired, reset your password and try again")); -- *pam_status = pam_chauthtok(pamh, -- PAM_CHANGE_EXPIRED_AUTHTOK); -- if (*pam_status == PAM_SUCCESS) -- debug_return_int(AUTH_SUCCESS); -- if ((s = pam_strerror(pamh, *pam_status)) == NULL) -+ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); -+ if (rc == PAM_SUCCESS) -+ break; -+ if ((s = pam_strerror(pamh, rc)) == NULL) - s = "unknown error"; - log_warningx(0, - N_("unable to change expired password: %s"), s); -- debug_return_int(AUTH_FAILURE); -+ status = AUTH_FAILURE; -+ break; - case PAM_AUTHTOK_EXPIRED: - /* Ignore if user is exempt from password restrictions. */ - if (exempt) -- debug_return_int(AUTH_SUCCESS); -+ break; - /* Password expired, cannot be updated by user. */ - log_warningx(0, - N_("Password expired, contact your system administrator")); -- debug_return_int(AUTH_FATAL); -+ status = AUTH_FATAL; -+ break; - case PAM_ACCT_EXPIRED: - log_warningx(0, - N_("Account expired or PAM config lacks an \"account\" " - "section for sudo, contact your system administrator")); -- debug_return_int(AUTH_FATAL); -+ status = AUTH_FATAL; -+ break; - case PAM_AUTHINFO_UNAVAIL: - case PAM_MAXTRIES: - case PAM_PERM_DENIED: -- s = pam_strerror(pamh, *pam_status); -+ s = pam_strerror(pamh, rc); - log_warningx(0, N_("PAM account management error: %s"), - s ? s : "unknown error"); -- debug_return_int(AUTH_FAILURE); -+ status = AUTH_FAILURE; -+ break; - default: -- s = pam_strerror(pamh, *pam_status); -+ s = pam_strerror(pamh, rc); - log_warningx(0, N_("PAM account management error: %s"), - s ? s : "unknown error"); -- debug_return_int(AUTH_FATAL); -+ status = AUTH_FATAL; -+ break; - } -+ /* Ignore errors if user is exempt from password restrictions. */ -+ *pam_status = exempt ? PAM_SUCCESS : rc; -+ debug_return_int(status); - } - - int - diff --git a/SOURCES/sudo-1.8.23-who-am-i.patch b/SOURCES/sudo-1.8.23-who-am-i.patch deleted file mode 100644 index 2be1c3c..0000000 --- a/SOURCES/sudo-1.8.23-who-am-i.patch +++ /dev/null @@ -1,56 +0,0 @@ -commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5 -Author: Todd C. Miller -Date: Wed Jan 2 07:39:33 2019 -0700 - - Fix setting of utmp entry when running command in a pty. - Regression introduced in sudo 1.8.22. - -diff --git a/src/exec_pty.c b/src/exec_pty.c -index cbcccca3..68312a98 100644 ---- a/src/exec_pty.c -+++ b/src/exec_pty.c -@@ -140,7 +140,7 @@ pty_cleanup(void) - * and slavename globals. - */ - static bool --pty_setup(uid_t uid, const char *tty) -+pty_setup(struct command_details *details, const char *tty) - { - debug_decl(pty_setup, SUDO_DEBUG_EXEC); - -@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty) - } - - if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE], -- slavename, sizeof(slavename), uid)) -+ slavename, sizeof(slavename), details->euid)) - sudo_fatal(U_("unable to allocate pty")); - - /* Add entry to utmp/utmpx? */ -- if (utmp_user != NULL) -+ if (ISSET(details->flags, CD_SET_UTMP)) { -+ utmp_user = -+ details->utmp_user ? details->utmp_user : user_details.username; - utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user); -+ } - - sudo_debug_printf(SUDO_DEBUG_INFO, - "%s: %s fd %d, pty master fd %d, pty slave fd %d", -@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat) - /* - * Allocate a pty. - */ -- if (pty_setup(details->euid, user_details.tty)) { -- if (ISSET(details->flags, CD_SET_UTMP)) -- utmp_user = details->utmp_user ? details->utmp_user : user_details.username; -- } else if (TAILQ_EMPTY(&io_plugins)) { -- /* Not logging I/O and didn't allocate a pty. */ -- debug_return_bool(false); -+ if (!pty_setup(details, user_details.tty)) { -+ if (TAILQ_EMPTY(&io_plugins)) { -+ /* Not logging I/O and didn't allocate a pty. */ -+ debug_return_bool(false); -+ } - } - - /* diff --git a/SOURCES/sudo-1.8.25-c-option-help.patch b/SOURCES/sudo-1.8.25-c-option-help.patch deleted file mode 100644 index 5836052..0000000 --- a/SOURCES/sudo-1.8.25-c-option-help.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 142b370c1f928549db3b357a495d151c7cd87f65 Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Tue, 11 Dec 2018 09:05:04 -0700 -Subject: [PATCH 2/4] The -c option was missing from the help info; from - Radovan Sroka - ---- - plugins/sudoers/cvtsudoers.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/plugins/sudoers/cvtsudoers.c b/plugins/sudoers/cvtsudoers.c -index 795936c1..0221314b 100644 ---- a/plugins/sudoers/cvtsudoers.c -+++ b/plugins/sudoers/cvtsudoers.c -@@ -1315,6 +1315,7 @@ help(void) - usage(0); - (void) puts(_("\nOptions:\n" - " -b, --base=dn the base DN for sudo LDAP queries\n" -+ " -c, --config=conf_file the path to the configuration file\n" - " -d, --defaults=deftypes only convert Defaults of the specified types\n" - " -e, --expand-aliases expand aliases when converting\n" - " -f, --output-format=format set output format: JSON, LDIF or sudoers\n" --- -2.17.2 - diff --git a/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch b/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch deleted file mode 100644 index 88fa081..0000000 --- a/SOURCES/sudo-1.8.25-sudoreplay-missing-options-help.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff -up ./plugins/sudoers/sudoreplay.c.sudoreplay-help ./plugins/sudoers/sudoreplay.c ---- ./plugins/sudoers/sudoreplay.c.sudoreplay-help 2018-12-11 18:12:56.715098760 +0100 -+++ ./plugins/sudoers/sudoreplay.c 2018-12-11 18:18:34.345184173 +0100 -@@ -1582,13 +1582,16 @@ help(void) - (void) printf(_("%s - replay sudo session logs\n\n"), getprogname()); - usage(0); - (void) puts(_("\nOptions:\n" -- " -d, --directory=dir specify directory for session logs\n" -- " -f, --filter=filter specify which I/O type(s) to display\n" -- " -h, --help display help message and exit\n" -- " -l, --list list available session IDs, with optional expression\n" -- " -m, --max-wait=num max number of seconds to wait between events\n" -- " -s, --speed=num speed up or slow down output\n" -- " -V, --version display version information and exit")); -+ " -d, --directory=dir specify directory for session logs\n" -+ " -f, --filter=filter specify which I/O type(s) to display\n" -+ " -h, --help display help message and exit\n" -+ " -l, --list list available session IDs, with optional expression\n" -+ " -m, --max-wait=num max number of seconds to wait between events\n" -+ " -n, --non-interactive no prompts, session is sent to the standard output\n" -+ " -R, --no-resize do not attempt to re-size the terminal\n" -+ " -S, --suspend-wait wait while the command was suspended\n" -+ " -s, --speed=num speed up or slow down output\n" -+ " -V, --version display version information and exit")); - exit(0); - } - diff --git a/SOURCES/sudo-1.8.25-typos-manpages.patch b/SOURCES/sudo-1.8.25-typos-manpages.patch deleted file mode 100644 index 32c645e..0000000 --- a/SOURCES/sudo-1.8.25-typos-manpages.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 04a4b3c1fcc1526ff1ea73597a1764cb160d400b Mon Sep 17 00:00:00 2001 -From: "Todd C. Miller" -Date: Tue, 11 Dec 2018 09:02:30 -0700 -Subject: [PATCH 1/4] Fix some typos; reported by Radovan Sroka - ---- - doc/cvtsudoers.cat | 6 +++--- - doc/cvtsudoers.man.in | 6 +++--- - doc/cvtsudoers.mdoc.in | 6 +++--- - 3 files changed, 9 insertions(+), 9 deletions(-) - -diff --git a/doc/cvtsudoers.cat b/doc/cvtsudoers.cat -index 61bf3a28..9c1ef140 100644 ---- a/doc/cvtsudoers.cat -+++ b/doc/cvtsudoers.cat -@@ -24,7 +24,7 @@ DDEESSCCRRIIPPTTIIOONN - --bb _d_n, ----bbaassee=_d_n - The base DN (distinguished name) that will be used when - performing LDAP queries. Typically this is of the form -- ou=SUDOers,dc=-mydomain,dc=com for the domain my-domain.com. -+ ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com. - If this option is not specified, the value of the - SUDOERS_BASE environment variable will be used instead. Only - necessary when converting to LDIF format. -@@ -60,7 +60,7 @@ DDEESSCCRRIIPPTTIIOONN - Expand aliases in _i_n_p_u_t___f_i_l_e. Aliases are preserved by - default when the output _f_o_r_m_a_t is JSON or sudoers. - -- --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t -+ --ff _o_u_t_p_u_t___f_o_r_m_a_t, ----oouuttppuutt--ffoorrmmaatt=_o_u_t_p_u_t___f_o_r_m_a_t - Specify the output format (case-insensitive). The following - formats are supported: - -diff --git a/doc/cvtsudoers.man.in b/doc/cvtsudoers.man.in -index b159ee5d..2f45ee1d 100644 ---- a/doc/cvtsudoers.man.in -+++ b/doc/cvtsudoers.man.in -@@ -59,7 +59,7 @@ The options are as follows: - The base DN (distinguished name) that will be used when performing - LDAP queries. - Typically this is of the form --\fRou=SUDOers,dc=-mydomain,dc=com\fR -+\fRou=SUDOers,dc=my-domain,dc=com\fR - for the domain - \fRmy-domain.com\fR. - If this option is not specified, the value of the -@@ -125,7 +125,7 @@ Aliases are preserved by default when the output - \fIformat\fR - is JSON or sudoers. - .TP 12n --\fB\-f\fR \fIoutput_format\fR, \fB\--format\fR=\fIoutput_format\fR -+\fB\-f\fR \fIoutput_format\fR, \fB\--output-format\fR=\fIoutput_format\fR - Specify the output format (case-insensitive). - The following formats are supported: - .PP -diff --git a/doc/cvtsudoers.mdoc.in b/doc/cvtsudoers.mdoc.in -index 1812bc67..8261ddc6 100644 ---- a/doc/cvtsudoers.mdoc.in -+++ b/doc/cvtsudoers.mdoc.in -@@ -57,7 +57,7 @@ The options are as follows: - The base DN (distinguished name) that will be used when performing - LDAP queries. - Typically this is of the form --.Li ou=SUDOers,dc=-mydomain,dc=com -+.Li ou=SUDOers,dc=my-domain,dc=com - for the domain - .Li my-domain.com . - If this option is not specified, the value of the -@@ -110,7 +110,7 @@ Expand aliases in - Aliases are preserved by default when the output - .Ar format - is JSON or sudoers. --.It Fl f Ar output_format , Fl -format Ns = Ns Ar output_format -+.It Fl f Ar output_format , Fl -output-format Ns = Ns Ar output_format - Specify the output format (case-insensitive). - The following formats are supported: - .Bl -tag -width 8n --- -2.17.2 - diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 5279cd9..aac09cf 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.25p1 -Release: 5%{?dist} +Version: 1.8.29 +Release: 2%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -39,25 +39,11 @@ Patch2: sudo-1.8.23-sudoldapconfman.patch Patch3: sudo-1.7.2p1-envdebug.patch # 1247591 - Sudo taking a long time when user information is stored externally. Patch4: sudo-1.8.23-legacy-group-processing.patch -# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option -Patch5: sudo-1.8.23-ldapsearchuidfix.patch # 840980 - sudo creates a new parent process # Adds cmnd_no_wait Defaults option -Patch6: sudo-1.8.23-nowaitopt.patch +Patch5: sudo-1.8.23-nowaitopt.patch # 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure -Patch7: sudo-1.8.6p7-logsudouser.patch -# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version -Patch8: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch -# 1613327 - Man page scan results for sudo -Patch9: sudo-1.8.25-typos-manpages.patch -Patch10: sudo-1.8.25-c-option-help.patch -Patch11: sudo-1.8.25-sudoreplay-missing-options-help.patch - -# RHEL 8.1 -# 1673886 - Problem with sudo-1.8.23 and 'who am i' -Patch12: sudo-1.8.23-who-am-i.patch -# 1676819 - Backporting sudo bug with expired passwords -Patch13: sudo-1.8.23-pam-expired-passwords.patch +Patch6: sudo-1.8.6p7-logsudouser.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -86,17 +72,8 @@ plugins that use %{name}. %patch2 -p1 -b .sudoldapconfman %patch3 -p1 -b .env-debug %patch4 -p1 -b .legacy-processing -%patch5 -p1 -b .ldap-search-uid -%patch6 -p1 -b .nowait -%patch7 -p1 -b .logsudouser -%patch8 -p1 -b .double-quote - -%patch9 -p1 -b .typos -%patch10 -p1 -b .c-option -%patch11 -p1 -b .sudoreplay-help - -%patch12 -p1 -b .whoami -%patch13 -p1 -b .pam-expired +%patch5 -p1 -b .nowait +%patch6 -p1 -b .logsudouser %build # Remove bundled copy of zlib @@ -256,21 +233,50 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Wed Oct 30 2019 Radovan Sroka - 1.8.29-2 +- RHEL 8.2 ERRATUM +- rebase to 1.8.29 +Resolves: rhbz#1733961 +Resolves: rhbz#1651662 + +* Fri Oct 25 2019 Radovan Sroka - 1.8.28p1-1 +- RHEL 8.2 ERRATUM +- rebase to 1.8.28p1 +Resolves: rhbz#1733961 +- fixed man page for always_set_home +Resolves: rhbz#1576880 +- sudo does not work with notbefore/after +Resolves: rhbz#1679508 +- NOTBEFORE showing value of sudoNotAfter Ldap attribute +Resolves: rhbz#1715516 +- CVE-2019-14287 sudo +- Privilege escalation via 'Runas' specification with 'ALL' keyword +Resolves: rhbz#1760697 + +* Fri Aug 16 2019 Radovan Sroka - 1.8.25-7 +- RHEL 8.1 ERRATUM +- sudo ipa_hostname not honored +Resolves: rhbz#1738662 + +* Mon Aug 12 2019 Radovan Sroka - 1.8.25-6 +- RHEL 8.1 ERRATUM +- Fixed The LDAP backend which is not properly parsing sudoOptions, + resulting in selinux roles not being applied +Resolves: rhbz#1738326 + * Tue May 28 2019 Radovan Sroka - 1.8.25-5 - RHEL 8.1 ERRATUM - Fixed problem with sudo-1.8.23 and 'who am i' Resolves: rhbz#1673886 - Backporting sudo bug with expired passwords Resolves: rhbz#1676819 -- Added baseos CI into gating.yaml -Resolves: rhbz#1682511 * Tue Dec 11 2018 Radovan Sroka - 1.8.25-4 - Fix most of the man page scans problems - Resolves: rhbz#1613327 * Fri Oct 12 2018 Daniel Kopecek - 1.8.25-3 -- bump release for new build after gating tests fixes +- bump release for new build Resolves: rhbz#1625683 * Thu Oct 11 2018 Daniel Kopecek - 1.8.25-2