diff --git a/SOURCES/sudo-1.7.4p5-sudo-ldap.conf b/SOURCES/sudo-1.7.4p5-sudo-ldap.conf deleted file mode 100644 index d8f8e4d..0000000 --- a/SOURCES/sudo-1.7.4p5-sudo-ldap.conf +++ /dev/null @@ -1,86 +0,0 @@ -## BINDDN DN -## The BINDDN parameter specifies the identity, in the form of a Dis‐ -## tinguished Name (DN), to use when performing LDAP operations. If -## not specified, LDAP operations are performed with an anonymous -## identity. By default, most LDAP servers will allow anonymous -## access. -## -#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com - -## BINDPW secret -## The BINDPW parameter specifies the password to use when performing -## LDAP operations. This is typically used in conjunction with the -## BINDDN parameter. -## -#bindpw secret - -## SSL start_tls -## If the SSL parameter is set to start_tls, the LDAP server connec‐ -## tion is initiated normally and TLS encryption is begun before the -## bind credentials are sent. This has the advantage of not requiring -## a dedicated port for encrypted communications. This parameter is -## only supported by LDAP servers that honor the start_tls extension, -## such as the OpenLDAP and Tivoli Directory servers. -## -#ssl start_tls - -## TLS_CACERTFILE file name -## The path to a certificate authority bundle which contains the cer‐ -## tificates for all the Certificate Authorities the client knows to -## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ -## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries -## use the same certificate database for CA and client certificates -## (see TLS_CERT). -## -#tls_cacertfile /path/to/CA.crt - -## TLS_CHECKPEER on/true/yes/off/false/no -## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ -## cated to be verified. If the server's TLS certificate cannot be -## verified (usually because it is signed by an unknown certificate -## authority), sudo will be unable to connect to it. If TLS_CHECKPEER -## is disabled, no check is made. Note that disabling the check cre‐ -## ates an opportunity for man-in-the-middle attacks since the -## server's identity will not be authenticated. If possible, the CA's -## certificate should be installed locally so it can be verified. -## This option is not supported by the Tivoli Directory Server LDAP -## libraries. -#tls_checkpeer yes - -## -## URI ldap[s]://[hostname[:port]] ... -## Specifies a whitespace-delimited list of one or more -## URIs describing the LDAP server(s) to connect to. -## -#uri ldap://ldapserver - -## -## SUDOERS_BASE base -## The base DN to use when performing sudo LDAP queries. -## Multiple SUDOERS_BASE lines may be specified, in which -## case they are queried in the order specified. -## -#sudoers_base ou=SUDOers,dc=example,dc=com - -## -## BIND_TIMELIMIT seconds -## The BIND_TIMELIMIT parameter specifies the amount of -## time to wait while trying to connect to an LDAP server. -## -#bind_timelimit 30 - -## -## TIMELIMIT seconds -## The TIMELIMIT parameter specifies the amount of time -## to wait for a response to an LDAP query. -## -#timelimit 30 - -## -## SUDOERS_DEBUG debug_level -## This sets the debug level for sudo LDAP queries. Debugging -## information is printed to the standard error. A value of 1 -## results in a moderate amount of debugging information. -## A value of 2 shows the results of the matches themselves. -## -#sudoers_debug 1 diff --git a/SOURCES/sudo-1.8.6p3-sigpipefix.patch b/SOURCES/sudo-1.8.6p3-sigpipefix.patch new file mode 100644 index 0000000..ce4886b --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-sigpipefix.patch @@ -0,0 +1,12 @@ +diff -up sudo-1.8.6p3/src/tgetpass.c.sigpipefix sudo-1.8.6p3/src/tgetpass.c +--- sudo-1.8.6p3/src/tgetpass.c.sigpipefix 2015-03-03 10:23:23.219038693 +0100 ++++ sudo-1.8.6p3/src/tgetpass.c 2015-03-03 10:23:43.089813184 +0100 +@@ -173,7 +173,7 @@ restore: + (void) sigaction(SIGTSTP, &savetstp, NULL); + (void) sigaction(SIGTTIN, &savettin, NULL); + (void) sigaction(SIGTTOU, &savettou, NULL); +- (void) sigaction(SIGTTOU, &savepipe, NULL); ++ (void) sigaction(SIGPIPE, &savepipe, NULL); + if (input != STDIN_FILENO) + (void) close(input); + diff --git a/SOURCES/sudo-1.8.6p3-sudo.conf b/SOURCES/sudo-1.8.6p3-sudo.conf deleted file mode 100644 index 3047842..0000000 --- a/SOURCES/sudo-1.8.6p3-sudo.conf +++ /dev/null @@ -1,57 +0,0 @@ -# -# Default /etc/sudo.conf file -# -# Format: -# Plugin plugin_name plugin_path plugin_options ... -# Path askpass /path/to/askpass -# Path noexec /path/to/sudo_noexec.so -# Debug sudo /var/log/sudo_debug all@warn -# Set disable_coredump true -# -# Sudo plugins: -# -# The plugin_path is relative to ${prefix}/libexec unless fully qualified. -# The plugin_name corresponds to a global symbol in the plugin -# that contains the plugin interface structure. -# The plugin_options are optional. -# -# The sudoers plugin is used by default if no Plugin lines are present. -Plugin sudoers_policy sudoers.so -Plugin sudoers_io sudoers.so - -# -# Sudo askpass: -# -# An askpass helper program may be specified to provide a graphical -# password prompt for "sudo -A" support. Sudo does not ship with its -# own passpass program but can use the OpenSSH askpass. -# -# Use the OpenSSH askpass -#Path askpass /usr/X11R6/bin/ssh-askpass -# -# Use the Gnome OpenSSH askpass -#Path askpass /usr/libexec/openssh/gnome-ssh-askpass - -# -# Sudo noexec: -# -# Path to a shared library containing dummy versions of the execv(), -# execve() and fexecve() library functions that just return an error. -# This is used to implement the "noexec" functionality on systems that -# support C or its equivalent. -# The compiled-in value is usually sufficient and should only be changed -# if you rename or move the sudo_noexec.so file. -# -#Path noexec /usr/libexec/sudo_noexec.so - -# -# Core dumps: -# -# By default, sudo disables core dumps while it is executing (they -# are re-enabled for the command that is run). -# To aid in debugging sudo problems, you may wish to enable core -# dumps by setting "disable_coredump" to false. -# -# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable -# -Set disable_coredump false diff --git a/SOURCES/sudo-1.8.6p3-visudo-quiet-flag.patch b/SOURCES/sudo-1.8.6p3-visudo-quiet-flag.patch new file mode 100644 index 0000000..30c4eef --- /dev/null +++ b/SOURCES/sudo-1.8.6p3-visudo-quiet-flag.patch @@ -0,0 +1,12 @@ +diff -up sudo-1.8.6p3/plugins/sudoers/visudo.c.fix sudo-1.8.6p3/plugins/sudoers/visudo.c +--- sudo-1.8.6p3/plugins/sudoers/visudo.c.fix 2015-07-22 11:29:03.899122767 +0200 ++++ sudo-1.8.6p3/plugins/sudoers/visudo.c 2015-07-22 11:29:33.001826535 +0200 +@@ -201,7 +201,7 @@ main(int argc, char *argv[]) + strict = true; /* strict mode */ + break; + case 'q': +- quiet = false; /* quiet mode */ ++ quiet = true; /* quiet mode */ + break; + default: + usage(1); diff --git a/SOURCES/sudo-1.8.6p7-14-sudoers b/SOURCES/sudo-1.8.6p7-14-sudoers deleted file mode 100644 index a943c24..0000000 --- a/SOURCES/sudo-1.8.6p7-14-sudoers +++ /dev/null @@ -1,118 +0,0 @@ -## Sudoers allows particular users to run various commands as -## the root user, without needing the root password. -## -## Examples are provided at the bottom of the file for collections -## of related commands, which can then be delegated out to particular -## users or groups. -## -## This file must be edited with the 'visudo' command. - -## Host Aliases -## Groups of machines. You may prefer to use hostnames (perhaps using -## wildcards for entire domains) or IP addresses instead. -# Host_Alias FILESERVERS = fs1, fs2 -# Host_Alias MAILSERVERS = smtp, smtp2 - -## User Aliases -## These aren't often necessary, as you can use regular groups -## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname -## rather than USERALIAS -# User_Alias ADMINS = jsmith, mikem - - -## Command Aliases -## These are groups of related commands... - -## Networking -# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool - -## Installation and management of software -# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum - -## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable - -## Updating the locate database -# Cmnd_Alias LOCATE = /usr/bin/updatedb - -## Storage -# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount - -## Delegating permissions -# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp - -## Processes -# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall - -## Drivers -# Cmnd_Alias DRIVERS = /sbin/modprobe - -# Defaults specification - -# -# Disable "ssh hostname sudo ", because it will show the password in clear. -# You have to run "ssh -t hostname sudo ". -# -Defaults requiretty - -# -# Refuse to run if unable to disable echo on the tty. This setting should also be -# changed in order to be able to use sudo without a tty. See requiretty above. -# -Defaults !visiblepw - -# -# Preserving HOME has security implications since many programs -# use it when searching for configuration files. Note that HOME -# is already set when the the env_reset option is enabled, so -# this option is only effective for configurations where either -# env_reset is disabled or HOME is present in the env_keep list. -# -Defaults always_set_home - -Defaults env_reset -Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" -Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" -Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" -Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" -Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" - -# -# Adding HOME to env_keep may enable a user to run unrestricted -# commands via sudo. -# -# Defaults env_keep += "HOME" - -Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin - -## Next comes the main part: which users can run what software on -## which machines (the sudoers file can be shared between multiple -## systems). -## Syntax: -## -## user MACHINE=COMMANDS -## -## The COMMANDS section may have other options added to it. -## -## Allow root to run any commands anywhere -root ALL=(ALL) ALL - -## Allows members of the 'sys' group to run networking, software, -## service management apps and more. -# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS - -## Allows people in group wheel to run all commands -%wheel ALL=(ALL) ALL - -## Same thing without a password -# %wheel ALL=(ALL) NOPASSWD: ALL - -## Allows members of the users group to mount and unmount the -## cdrom as root -# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom - -## Allows members of the users group to shutdown this system -# %users localhost=/sbin/shutdown -h now - -## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) -#includedir /etc/sudoers.d diff --git a/SOURCES/sudo-1.8.6p7-digest_race_doc.patch b/SOURCES/sudo-1.8.6p7-digest_race_doc.patch new file mode 100644 index 0000000..32544b3 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-digest_race_doc.patch @@ -0,0 +1,88 @@ +diff -up sudo-1.8.6p7/doc/sudoers.cat.digest_race_doc sudo-1.8.6p7/doc/sudoers.cat +--- sudo-1.8.6p7/doc/sudoers.cat.digest_race_doc 2016-05-11 13:53:51.125141217 +0200 ++++ sudo-1.8.6p7/doc/sudoers.cat 2016-05-11 13:56:10.678178899 +0200 +@@ -301,13 +301,11 @@ SSUUDDOOEERRSS FFIILLEE FFO + + If a command name is prefixed with a Digest_Spec, the command will only + match successfully if it can be verified using the specified SHA-2 +- digest. This may be useful in situations where the user invoking ssuuddoo +- has write access to the command or its parent directory. The following +- digest formats are supported: sha224, sha256, sha384 and sha512. The +- string may be specified in either hex or base64 format (base64 is more +- compact). There are several utilities capable of generating SHA-2 +- digests in hex format such as openssl, shasum, sha224sum, sha256sum, +- sha384sum, sha512sum. ++ digest. The following digest formats are supported: sha224, sha256, ++ sha384 and sha512. The string may be specified in either hex or base64 ++ format (base64 is more compact). There are several utilities capable of ++ generating SHA-2 digests in hex format such as openssl, shasum, ++ sha224sum, sha256sum, sha384sum, sha512sum. + + For example, using openssl: + +@@ -319,6 +317,11 @@ SSUUDDOOEERRSS FFIILLEE FFO + $ openssl dgst -binary -sha224 /bin/ls | openssl base64 + EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== + ++ If the user has write access to either the command itself or the ++ directory in which the command is located (directly or via a ssuuddoo ++ command) it may be possible for the user to replace the command after the ++ digest check has been performed but before the command is executed. ++ + DDeeffaauullttss + Certain configuration options may be changed from their default values at + run-time via one or more Default_Entry lines. These may affect all users +diff -up sudo-1.8.6p7/doc/sudoers.man.in.digest_race_doc sudo-1.8.6p7/doc/sudoers.man.in +--- sudo-1.8.6p7/doc/sudoers.man.in.digest_race_doc 2016-05-11 13:54:01.005002291 +0200 ++++ sudo-1.8.6p7/doc/sudoers.man.in 2016-05-11 13:58:28.541240345 +0200 +@@ -679,9 +679,6 @@ is prefixed with a + \fRDigest_Spec\fR, + the command will only match successfully if it can be verified + using the specified SHA-2 digest. +-This may be useful in situations where the user invoking +-\fBsudo\fR +-has write access to the command or its parent directory. + The following digest formats are supported: sha224, sha256, sha384 and sha512. + The string may be specified in either hex or base64 format + (base64 is more compact). +@@ -705,6 +702,13 @@ $ openssl dgst -binary -sha224 /bin/ls | + EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== + .RE + .fi ++.PP ++If the user has write access to either the command itself or the ++directory in which the command is located (directly or via a ++\fBsudo\fR ++command) it may be possible for the user to replace the command ++after the digest check has been performed but before the command ++is executed. + .SS "Defaults" + Certain configuration options may be changed from their default + values at run-time via one or more +diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.digest_race_doc sudo-1.8.6p7/doc/sudoers.mdoc.in +--- sudo-1.8.6p7/doc/sudoers.mdoc.in.digest_race_doc 2016-05-11 13:54:07.749907447 +0200 ++++ sudo-1.8.6p7/doc/sudoers.mdoc.in 2016-05-11 13:59:22.263484933 +0200 +@@ -655,9 +655,6 @@ is prefixed with a + .Li Digest_Spec , + the command will only match successfully if it can be verified + using the specified SHA-2 digest. +-This may be useful in situations where the user invoking +-.Nm sudo +-has write access to the command or its parent directory. + The following digest formats are supported: sha224, sha256, sha384 and sha512. + The string may be specified in either hex or base64 format + (base64 is more compact). +@@ -675,6 +672,13 @@ It is also possible to use openssl to ge + $ openssl dgst -binary -sha224 /bin/ls | openssl base64 + EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ== + .Ed ++.Pp ++If the user has write access to either the command itself or the ++directory in which the command is located (directly or via a ++.Nm sudo ++command) it may be possible for the user to replace the command ++after the digest check has been performed but before the command ++is executed. + .Ss Defaults + Certain configuration options may be changed from their default + values at run-time via one or more diff --git a/SOURCES/sudo-1.8.6p7-ldap_sssd_parse_whitespaces.patch b/SOURCES/sudo-1.8.6p7-ldap_sssd_parse_whitespaces.patch new file mode 100644 index 0000000..5f0a575 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-ldap_sssd_parse_whitespaces.patch @@ -0,0 +1,91 @@ +diff -up sudo-1.8.6p7/common/fmt_string.c.ldap_sssd_parse_whitespaces sudo-1.8.6p7/common/fmt_string.c +--- sudo-1.8.6p7/common/fmt_string.c.ldap_sssd_parse_whitespaces 2013-02-25 20:42:44.000000000 +0100 ++++ sudo-1.8.6p7/common/fmt_string.c 2016-05-11 10:31:30.206090322 +0200 +@@ -38,6 +38,8 @@ + # include + #endif /* HAVE_STRINGS_H */ + ++#include ++ + #include "missing.h" + #include "sudo_debug.h" + +@@ -64,3 +66,17 @@ fmt_string(const char *var, const char * + + debug_return_str(str); + } ++ ++char * rm_whitespaces(char * str){ ++ int state = 1; ++ char * c; ++ for (c = str ; *c != '\0' ; c++){ ++ if (state && isspace(*c))str++; ++ else if (!isspace(*c))state = 0; ++ else if (!state && isspace(*c)){ ++ *c = '\0'; ++ break; ++ } ++ } ++ return str; ++} +diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.ldap_sssd_parse_whitespaces sudo-1.8.6p7/plugins/sudoers/ldap.c +--- sudo-1.8.6p7/plugins/sudoers/ldap.c.ldap_sssd_parse_whitespaces 2016-05-11 10:31:30.202090379 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-11 10:31:30.207090307 +0200 +@@ -1012,17 +1012,17 @@ sudo_ldap_parse_options(LDAP *ld, LDAPMe + if (op == '+' || op == '-') { + *(val - 2) = '\0'; /* found, remove extra char */ + /* case var+=val or var-=val */ +- set_default(var, strunquote(val), (int) op); ++ set_default(rm_whitespaces(var), strunquote(val), (int) op); + } else { + /* case var=val */ +- set_default(var, strunquote(val), true); ++ set_default(rm_whitespaces(var), strunquote(val), true); + } + } else if (*var == '!') { + /* case !var Boolean False */ +- set_default(var + 1, NULL, false); ++ set_default(rm_whitespaces(var + 1), NULL, false); + } else { + /* case var Boolean True */ +- set_default(var, NULL, true); ++ set_default(rm_whitespaces(var), NULL, true); + } + efree(var); + } +diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.ldap_sssd_parse_whitespaces sudo-1.8.6p7/plugins/sudoers/sssd.c +--- sudo-1.8.6p7/plugins/sudoers/sssd.c.ldap_sssd_parse_whitespaces 2016-05-11 10:31:30.202090379 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2016-05-11 10:31:30.207090307 +0200 +@@ -1004,17 +1004,17 @@ sudo_sss_parse_options(struct sudo_sss_h + if (op == '+' || op == '-') { + *(val - 2) = '\0'; /* found, remove extra char */ + /* case var+=val or var-=val */ +- set_default(v, strunquote(val), (int) op); ++ set_default(rm_whitespaces(v), strunquote(val), (int) op); + } else { + /* case var=val */ +- set_default(v, strunquote(val), true); ++ set_default(rm_whitespaces(v), strunquote(val), true); + } + } else if (*v == '!') { + /* case !var Boolean False */ +- set_default(v + 1, NULL, false); ++ set_default(rm_whitespaces(v + 1), NULL, false); + } else { + /* case var Boolean True */ +- set_default(v, NULL, true); ++ set_default(rm_whitespaces(v), NULL, true); + } + efree(v); + } +diff -up sudo-1.8.6p7/plugins/sudoers/sudoers.h.ldap_sssd_parse_whitespaces sudo-1.8.6p7/plugins/sudoers/sudoers.h +--- sudo-1.8.6p7/plugins/sudoers/sudoers.h.ldap_sssd_parse_whitespaces 2016-05-11 10:31:30.204090350 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/sudoers.h 2016-05-11 10:31:30.207090307 +0200 +@@ -346,6 +346,7 @@ int sudoers_hook_unsetenv(const char *na + + /* fmt_string.c */ + char *fmt_string(const char *, const char *); ++char *rm_whitespaces(char * str); + + /* sudoers.c */ + void plugin_cleanup(int); diff --git a/SOURCES/sudo-1.8.6p7-ldapusermatchfix.patch b/SOURCES/sudo-1.8.6p7-ldapusermatchfix.patch new file mode 100644 index 0000000..c922924 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-ldapusermatchfix.patch @@ -0,0 +1,47 @@ +diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.ldapusermatchfix sudo-1.8.6p7/plugins/sudoers/ldap.c +--- sudo-1.8.6p7/plugins/sudoers/ldap.c.ldapusermatchfix 2016-05-09 15:33:10.933510674 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-09 15:33:10.937510618 +0200 +@@ -2735,22 +2735,37 @@ sudo_ldap_result_get(struct sudo_nss *ns + result = NULL; + rc = ldap_search_ext_s(ld, base->val, LDAP_SCOPE_SUBTREE, filt, + NULL, 0, NULL, NULL, tvp, 0, &result); +- if (rc != LDAP_SUCCESS) { ++ if (rc != LDAP_SUCCESS || result == NULL) { + DPRINTF(("nothing found for '%s'", filt), 1); + continue; + } +- lres->user_matches = true; ++ ++ DPRINTF(("search result has %d entries (do_netgr=%s)", ++ ldap_count_entries(ld, result), do_netgr ? "true" : "false"), 1); ++ /* ++ * Only set user_matches if we got some results back and if we are ++ * NOT searching for netgroup entries. For the netgroup case, user_maches ++ * will be set only if a netgroup match was found. ++ */ ++ lres->user_matches = lres->user_matches ? true : ldap_count_entries(ld, result) > 0 && !do_netgr; + + /* Add the seach result to list of search results. */ + DPRINTF(("adding search result"), 1); + sudo_ldap_result_add_search(lres, ld, result); + LDAP_FOREACH(entry, ld, result) { +- if ((!do_netgr || +- sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name)) && ++ if (do_netgr) { ++ if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) && + sudo_ldap_check_host(ld, entry)) { +- lres->host_matches = true; +- sudo_ldap_result_add_entry(lres, entry); ++ lres->host_matches = true; ++ lres->user_matches = true; ++ sudo_ldap_result_add_entry(lres, entry); ++ } ++ } else { ++ if (sudo_ldap_check_host(ld, entry)) { ++ lres->host_matches = true; ++ sudo_ldap_result_add_entry(lres, entry); + } ++ } + } + DPRINTF(("result now has %d entries", lres->nentries), 1); + } diff --git a/SOURCES/sudo-1.8.6p7-logsudouser.patch b/SOURCES/sudo-1.8.6p7-logsudouser.patch new file mode 100644 index 0000000..59e577f --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-logsudouser.patch @@ -0,0 +1,77 @@ +diff -up sudo-1.8.6p7/plugins/sudoers/logging.c.logsudouser sudo-1.8.6p7/plugins/sudoers/logging.c +--- sudo-1.8.6p7/plugins/sudoers/logging.c.logsudouser 2013-02-25 20:46:09.000000000 +0100 ++++ sudo-1.8.6p7/plugins/sudoers/logging.c 2016-05-09 16:24:10.831703862 +0200 +@@ -146,7 +146,7 @@ do_syslog(int pri, char *msg) + * Log the full line, breaking into multiple syslog(3) calls if necessary + */ + fmt = _(FMT_FIRST); +- maxlen = MAXSYSLOGLEN - (strlen(fmt) - 5 + strlen(user_name)); ++ maxlen = MAXSYSLOGLEN - (strlen(fmt) - 5 + strlen(sudo_user_name)); + for (p = msg; *p != '\0'; ) { + len = strlen(p); + if (len > maxlen) { +@@ -162,7 +162,7 @@ do_syslog(int pri, char *msg) + save = *tmp; + *tmp = '\0'; + +- mysyslog(pri, fmt, user_name, p); ++ mysyslog(pri, fmt, sudo_user_name, p); + + *tmp = save; /* restore saved character */ + +@@ -170,11 +170,11 @@ do_syslog(int pri, char *msg) + for (p = tmp; *p == ' '; p++) + ; + } else { +- mysyslog(pri, fmt, user_name, p); ++ mysyslog(pri, fmt, sudo_user_name, p); + p += len; + } + fmt = _(FMT_CONTD); +- maxlen = MAXSYSLOGLEN - (strlen(fmt) - 5 + strlen(user_name)); ++ maxlen = MAXSYSLOGLEN - (strlen(fmt) - 5 + strlen(sudo_user_name)); + } + + #ifdef HAVE_SETLOCALE +@@ -216,17 +216,17 @@ do_logfile(char *msg) + /* Don't pretty-print long log file lines (hard to grep) */ + if (def_log_host) + (void) fprintf(fp, "%s : %s : HOST=%s : %s\n", +- get_timestr(now, def_log_year), user_name, user_shost, msg); ++ get_timestr(now, def_log_year), sudo_user_name, user_shost, msg); + else + (void) fprintf(fp, "%s : %s : %s\n", +- get_timestr(now, def_log_year), user_name, msg); ++ get_timestr(now, def_log_year), sudo_user_name, msg); + } else { + if (def_log_host) + len = easprintf(&full_line, "%s : %s : HOST=%s : %s", +- get_timestr(now, def_log_year), user_name, user_shost, msg); ++ get_timestr(now, def_log_year), sudo_user_name, user_shost, msg); + else + len = easprintf(&full_line, "%s : %s : %s", +- get_timestr(now, def_log_year), user_name, msg); ++ get_timestr(now, def_log_year), sudo_user_name, msg); + + /* + * Print out full_line with word wrap around def_loglinelen chars. +@@ -689,7 +689,7 @@ send_mail(const char *fmt, ...) + #endif /* HAVE_NL_LANGINFO */ + + (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, +- get_timestr(time(NULL), def_log_year), user_name); ++ get_timestr(time(NULL), def_log_year), sudo_user_name); + va_start(ap, fmt); + (void) vfprintf(mail, fmt, ap); + va_end(ap); +diff -up sudo-1.8.6p7/plugins/sudoers/sudoers.h.logsudouser sudo-1.8.6p7/plugins/sudoers/sudoers.h +--- sudo-1.8.6p7/plugins/sudoers/sudoers.h.logsudouser 2016-05-09 16:24:10.815704088 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/sudoers.h 2016-05-09 16:24:10.831703862 +0200 +@@ -171,6 +171,7 @@ struct sudo_user { + /* + * Shortcuts for sudo_user contents. + */ ++#define sudo_user_name (sudo_user.pw->pw_name) + #define user_name (sudo_user.name) + #define user_uid (sudo_user.uid) + #define user_gid (sudo_user.gid) diff --git a/SOURCES/sudo-1.8.6p7-netgroup_tuple.patch b/SOURCES/sudo-1.8.6p7-netgroup_tuple.patch new file mode 100644 index 0000000..42f3ac2 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-netgroup_tuple.patch @@ -0,0 +1,194 @@ +diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/defaults.c +--- sudo-1.8.6p7/plugins/sudoers/defaults.c.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2016-05-09 15:34:41.066246485 +0200 +@@ -362,6 +362,7 @@ init_defaults(void) + } + + /* First initialize the flags. */ ++ def_netgroup_tuple = false; + def_legacy_group_processing = true; + #ifdef LONG_OTP_PROMPT + def_long_otp_prompt = true; +diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/def_data.c +--- sudo-1.8.6p7/plugins/sudoers/def_data.c.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2016-05-09 15:34:41.066246485 +0200 +@@ -359,6 +359,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Don't pre-resolve all group names"), + NULL, + }, { ++ "netgroup_tuple", T_FLAG, ++ N_("Use both user and host/domain fields when matching netgroups"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/def_data.h +--- sudo-1.8.6p7/plugins/sudoers/def_data.h.netgroup_tuple 2016-05-09 15:34:41.059246583 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2016-05-09 15:34:41.066246485 +0200 +@@ -166,6 +166,8 @@ + #define I_CMND_NO_WAIT 82 + #define def_legacy_group_processing (sudo_defs_table[83].sd_un.flag) + #define I_LEGACY_GROUP_PROCESSING 83 ++#define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag) ++#define I_NETGROUP_TUPLE 84 + + enum def_tuple { + never, +diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/ldap.c +--- sudo-1.8.6p7/plugins/sudoers/ldap.c.netgroup_tuple 2016-05-09 15:34:41.065246499 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-09 15:34:41.066246485 +0200 +@@ -636,8 +636,12 @@ sudo_ldap_check_user_netgroup(LDAP *ld, + for (p = bv; *p != NULL && !ret; p++) { + val = (*p)->bv_val; + /* match any */ +- if (netgr_matches(val, NULL, NULL, user)) +- ret = true; ++ if (netgr_matches(val, ++ def_netgroup_tuple ? user_host : NULL, ++ def_netgroup_tuple ? user_shost : NULL, ++ user)) { ++ ret = true; ++ } + DPRINTF(("ldap sudoUser netgroup '%s' ... %s", val, + ret ? "MATCH!" : "not"), 2 + ((ret) ? 0 : 1)); + } +@@ -652,7 +656,7 @@ sudo_ldap_check_user_netgroup(LDAP *ld, + * host match, else false. + */ + static bool +-sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry) ++sudo_ldap_check_host(LDAP *ld, LDAPMessage *entry, char *user) + { + struct berval **bv, **p; + char *val; +@@ -672,7 +676,7 @@ sudo_ldap_check_host(LDAP *ld, LDAPMessa + val = (*p)->bv_val; + /* match any or address or netgroup or hostname */ + if (!strcmp(val, "ALL") || addr_matches(val) || +- netgr_matches(val, user_host, user_shost, NULL) || ++ netgr_matches(val, user_host, user_shost, def_netgroup_tuple ? user : NULL) || + hostname_matches(user_shost, user_host, val)) + ret = true; + DPRINTF(("ldap sudoHost '%s' ... %s", val, +@@ -729,7 +733,10 @@ sudo_ldap_check_runas_user(LDAP *ld, LDA + val = (*p)->bv_val; + switch (val[0]) { + case '+': +- if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) ++ if (netgr_matches(val, ++ def_netgroup_tuple ? user_host : NULL, ++ def_netgroup_tuple ? user_shost : NULL, ++ runas_pw->pw_name)) + ret = true; + break; + case '%': +@@ -2755,13 +2762,13 @@ sudo_ldap_result_get(struct sudo_nss *ns + LDAP_FOREACH(entry, ld, result) { + if (do_netgr) { + if (sudo_ldap_check_user_netgroup(ld, entry, pw->pw_name) && +- sudo_ldap_check_host(ld, entry)) { ++ sudo_ldap_check_host(ld, entry, pw->pw_name)) { + lres->host_matches = true; + lres->user_matches = true; + sudo_ldap_result_add_entry(lres, entry); + } + } else { +- if (sudo_ldap_check_host(ld, entry)) { ++ if (sudo_ldap_check_host(ld, entry, pw->pw_name)) { + lres->host_matches = true; + sudo_ldap_result_add_entry(lres, entry); + } +diff -up sudo-1.8.6p7/plugins/sudoers/match.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/match.c +--- sudo-1.8.6p7/plugins/sudoers/match.c.netgroup_tuple 2016-05-09 15:34:41.062246541 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/match.c 2016-05-09 15:34:41.067246471 +0200 +@@ -117,7 +117,10 @@ userlist_matches(struct passwd *pw, stru + matched = !m->negated; + break; + case NETGROUP: +- if (netgr_matches(m->name, NULL, NULL, pw->pw_name)) ++ if (netgr_matches(m->name, ++ def_netgroup_tuple ? user_host : NULL, ++ def_netgroup_tuple ? user_shost : NULL, ++ pw->pw_name)) + matched = !m->negated; + break; + case USERGROUP: +@@ -172,7 +175,10 @@ runaslist_matches(struct member_list *us + user_matched = !m->negated; + break; + case NETGROUP: +- if (netgr_matches(m->name, NULL, NULL, runas_pw->pw_name)) ++ if (netgr_matches(m->name, ++ def_netgroup_tuple ? user_host : NULL, ++ def_netgroup_tuple ? user_shost : NULL, ++ runas_pw->pw_name)) + user_matched = !m->negated; + break; + case USERGROUP: +@@ -269,7 +275,7 @@ hostlist_matches(struct member_list *lis + matched = !m->negated; + break; + case NETGROUP: +- if (netgr_matches(m->name, user_host, user_shost, NULL)) ++ if (netgr_matches(m->name, user_host, user_shost, def_netgroup_tuple ? user_name : NULL)) + matched = !m->negated; + break; + case NTWKADDR: +diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.netgroup_tuple sudo-1.8.6p7/plugins/sudoers/sssd.c +--- sudo-1.8.6p7/plugins/sudoers/sssd.c.netgroup_tuple 2016-05-09 15:34:41.056246625 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2016-05-09 15:34:41.067246471 +0200 +@@ -452,7 +452,10 @@ sudo_sss_check_runas_user(struct sudo_ss + switch (val[0]) { + case '+': + sudo_debug_printf(SUDO_DEBUG_DEBUG, "netgr_"); +- if (netgr_matches(val, NULL, NULL, runas_pw->pw_name)) { ++ if (netgr_matches(val, ++ def_netgroup_tuple ? user_host : NULL, ++ def_netgroup_tuple ? user_shost : NULL, ++ runas_pw->pw_name)) { + sudo_debug_printf(SUDO_DEBUG_DEBUG, "=> match"); + ret = true; + } +@@ -551,7 +554,7 @@ sudo_sss_check_runas(struct sudo_sss_han + debug_return_bool(ret); + } + +-static bool sudo_sss_ipa_hostname_matches(const char *hostname_val) ++static bool sudo_sss_ipa_hostname_matches(const char *hostname_val, char *user) + { + bool ret = false; + char *ipa_hostname_val; +@@ -559,7 +562,7 @@ static bool sudo_sss_ipa_hostname_matche + + if ((ipa_hostname_val = ipa_hostname()) != NULL) { + ret = hostname_matches(ipa_hostname_val, ipa_hostname_val, hostname_val) || \ +- netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, NULL); ++ netgr_matches(hostname_val, ipa_hostname_val, ipa_hostname_val, def_netgroup_tuple ? user : NULL); + } + + sudo_debug_printf(SUDO_DEBUG_TRACE, "IPA hostname (%s) matches %s => %s", +@@ -600,8 +603,9 @@ sudo_sss_check_host(struct sudo_sss_hand + + /* match any or address or netgroup or hostname */ + if (!strcmp(val, "ALL") || addr_matches(val) || +- sudo_sss_ipa_hostname_matches(val) || +- netgr_matches(val, user_host, user_shost, NULL) || ++ sudo_sss_ipa_hostname_matches(val, handle->pw->pw_name) || ++ netgr_matches(val, user_host, user_shost, ++ def_netgroup_tuple ? handle->pw->pw_name : NULL) || + hostname_matches(user_shost, user_host, val)) + ret = true; + +@@ -649,7 +653,10 @@ bool sudo_sss_filter_sudoUser(struct sud + sudo_debug_printf(SUDO_DEBUG_DEBUG, "val[%d]=%s", i, val); + if (*val == '+') { + /* Netgroup spec found, check netgroup membership */ +- if (netgr_matches(val, NULL, NULL, handle->pw->pw_name)) { ++ if (netgr_matches(val, ++ def_netgroup_tuple ? user_host : NULL, ++ def_netgroup_tuple ? user_shost : NULL, ++ handle->pw->pw_name)) { + ret = true; + sudo_debug_printf(SUDO_DEBUG_DIAG, + "sssd/ldap sudoUser '%s' ... MATCH! (%s)", val, handle->pw->pw_name); diff --git a/SOURCES/sudo-1.8.6p7-nproc-nowait.patch b/SOURCES/sudo-1.8.6p7-nproc-nowait.patch new file mode 100644 index 0000000..0d75031 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-nproc-nowait.patch @@ -0,0 +1,48 @@ +diff -up sudo-1.8.6p7/src/exec.c.nproc-nowait sudo-1.8.6p7/src/exec.c +--- sudo-1.8.6p7/src/exec.c.nproc-nowait 2016-05-11 12:56:58.694022525 +0200 ++++ sudo-1.8.6p7/src/exec.c 2016-05-11 12:56:58.759021618 +0200 +@@ -298,6 +298,7 @@ sudo_execute(struct command_details *det + */ + if (details->flags & CD_DONTWAIT) { + if (exec_setup(details, NULL, -1) == true) { ++ restore_nproc(); + /* headed for execve() */ + sudo_debug_execve(SUDO_DEBUG_INFO, details->command, + details->argv, details->envp); +diff -up sudo-1.8.6p7/src/sudo.c.nproc-nowait sudo-1.8.6p7/src/sudo.c +--- sudo-1.8.6p7/src/sudo.c.nproc-nowait 2016-05-11 12:56:58.758021632 +0200 ++++ sudo-1.8.6p7/src/sudo.c 2016-05-11 13:12:21.833116202 +0200 +@@ -145,6 +145,7 @@ static struct rlimit corelimit; + #endif /* RLIMIT_CORE */ + #if defined(__linux__) + static struct rlimit nproclimit; ++static struct rlimit orig_nproc_limit; + #endif + + int +@@ -853,6 +854,17 @@ unlimit_nproc(void) + debug_return; + } + ++void restore_nproc(void) ++{ ++ debug_decl(restore_nproc, SUDO_DEBUG_EXEC); ++#if defined(__linux__) ++ if (setrlimit(RLIMIT_NPROC, &orig_nproc_limit) != 0) { ++ errorx(1, _("Cannot restore nproc rlimit: errno=%d"), errno); ++ } ++#endif ++ debug_return; ++} ++ + #ifdef HAVE_PROJECT_H + static void + set_project(struct passwd *pw) +@@ -1089,6 +1101,7 @@ exec_setup(struct command_details *detai + */ + #if defined(__linux__) && defined(_SC_CHILD_MAX) + { ++ getrlimit(RLIMIT_NPROC, &orig_nproc_limit); + struct rlimit rl; + long l; + errno = 0; diff --git a/SOURCES/sudo-1.8.6p7-null_exception.patch b/SOURCES/sudo-1.8.6p7-null_exception.patch new file mode 100644 index 0000000..f48b952 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-null_exception.patch @@ -0,0 +1,13 @@ +diff -up sudo-1.8.6p7/src/sudo.c.null_exception sudo-1.8.6p7/src/sudo.c +--- sudo-1.8.6p7/src/sudo.c.null_exception 2016-05-11 10:39:56.466888652 +0200 ++++ sudo-1.8.6p7/src/sudo.c 2016-05-11 10:39:56.530887742 +0200 +@@ -483,6 +483,9 @@ get_user_info(struct user_details *ud) + errorx(1, _("unable to allocate memory")); + ud->cwd = user_info[i] + sizeof("cwd=") - 1; + } ++ else { ++ errorx(1, _("unable to resolve current working directory")); ++ } + + if ((cp = get_process_ttyname()) != NULL) { + user_info[++i] = fmt_string("tty", cp); diff --git a/SOURCES/sudo-1.8.6p7-pam_servicebackport.patch b/SOURCES/sudo-1.8.6p7-pam_servicebackport.patch new file mode 100644 index 0000000..53017f2 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-pam_servicebackport.patch @@ -0,0 +1,221 @@ +diff -up sudo-1.8.6p7/configure.in.pam_servicebackport sudo-1.8.6p7/configure.in +--- sudo-1.8.6p7/configure.in.pam_servicebackport 2016-05-09 15:36:30.213715598 +0200 ++++ sudo-1.8.6p7/configure.in 2016-05-09 15:36:30.237715261 +0200 +@@ -121,6 +121,7 @@ AC_SUBST([nsswitch_conf]) + AC_SUBST([netsvc_conf]) + AC_SUBST([secure_path]) + AC_SUBST([editor]) ++AC_SUBST([pam_login_service]) + # + # Begin initial values for man page substitution + # +@@ -160,6 +161,7 @@ netsvc_conf=/etc/netsvc.conf + noexec_file=/usr/local/libexec/sudo_noexec.so + nsswitch_conf=/etc/nsswitch.conf + secure_path="not set" ++pam_login_service=sudo + # + # End initial values for man page substitution + # +@@ -2717,6 +2719,7 @@ if test ${with_pam-"no"} != "no"; then + yes) AC_DEFINE([HAVE_PAM_LOGIN]) + AC_MSG_CHECKING(whether to use PAM login) + AC_MSG_RESULT(yes) ++ pam_login_service="sudo-i" + ;; + no) ;; + *) AC_MSG_ERROR(["--with-pam-login does not take an argument."]) +diff -up sudo-1.8.6p7/configure.pam_servicebackport sudo-1.8.6p7/configure +--- sudo-1.8.6p7/configure.pam_servicebackport 2013-02-25 20:48:02.000000000 +0100 ++++ sudo-1.8.6p7/configure 2016-05-09 15:36:30.238715247 +0200 +@@ -658,6 +658,7 @@ OBJEXT + EXEEXT + ac_ct_CC + CC ++pam_login_service + editor + secure_path + netsvc_conf +@@ -2959,6 +2960,7 @@ netsvc_conf=/etc/netsvc.conf + noexec_file=/usr/local/libexec/sudo_noexec.so + nsswitch_conf=/etc/nsswitch.conf + secure_path="not set" ++pam_login_service=sudo + # + # End initial values for man page substitution + # +@@ -18631,6 +18633,7 @@ if test "${with_pam_login+set}" = set; t + $as_echo_n "checking whether to use PAM login... " >&6; } + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 + $as_echo "yes" >&6; } ++ pam_login_service="sudo-i" + ;; + no) ;; + *) as_fn_error $? "\"--with-pam-login does not take an argument.\"" "$LINENO" 5 +diff -up sudo-1.8.6p7/doc/sudoers.cat.pam_servicebackport sudo-1.8.6p7/doc/sudoers.cat +--- sudo-1.8.6p7/doc/sudoers.cat.pam_servicebackport 2016-05-09 15:36:30.222715472 +0200 ++++ sudo-1.8.6p7/doc/sudoers.cat 2016-05-09 15:36:30.239715233 +0200 +@@ -1245,6 +1245,18 @@ SSUUDDOOEERRSS OOPPTTIIOONN + noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f + file. + ++ pam_login_service ++ On systems that use PAM for authentication, this is the ++ service name used when the -^H-i^Hi option is specified. The ++ default value is ``sudo''. See the description of ++ _^Hp_^Ha_^Hm_^H__^Hs_^He_^Hr_^Hv_^Hi_^Hc_^He for more information. ++ ++ pam_service On systems that use PAM for authentication, the service ++ name specifies the PAM policy to apply. This usually ++ corresponds to an entry in the _^Hp_^Ha_^Hm_^H._^Hc_^Ho_^Hn_^Hf file or a fi ++ in the _^H/_^He_^Ht_^Hc_^H/_^Hp_^Ha_^Hm_^H._^Hd directory. The default valu ++ ``sudo''. ++ + passprompt The default prompt to use when asking for a password; + can be overridden via the --pp option or the SUDO_PROMPT + environment variable. The following percent (`%') +diff -up sudo-1.8.6p7/doc/sudoers.man.in.pam_servicebackport sudo-1.8.6p7/doc/sudoers.man.in +--- sudo-1.8.6p7/doc/sudoers.man.in.pam_servicebackport 2016-05-09 15:36:30.223715458 +0200 ++++ sudo-1.8.6p7/doc/sudoers.man.in 2016-05-09 15:36:30.239715233 +0200 +@@ -2628,6 +2628,29 @@ The path to the noexec file should now b + \fI@sysconfdir@/sudo.conf\fR + file. + .TP 18n ++pam_login_service ++.br ++On systems that use PAM for authentication, this is the service ++name used when the ++\fB\-i\fR ++option is specified. ++The default value is ++``\fR@pam_login_service@\fR''. ++See the description of ++\fIpam_service\fR ++for more information. ++.TP 18n ++pam_service ++On systems that use PAM for authentication, the service name ++specifies the PAM policy to apply. ++This usually corresponds to an entry in the ++\fIpam.conf\fR ++file or a file in the ++\fI/etc/pam.d\fR ++directory. ++The default value is ++``\fRsudo\fR''. ++.TP 18n + passprompt + The default prompt to use when asking for a password; can be overridden via the + \fB\-p\fR +diff -up sudo-1.8.6p7/doc/sudoers.mdoc.in.pam_servicebackport sudo-1.8.6p7/doc/sudoers.mdoc.in +--- sudo-1.8.6p7/doc/sudoers.mdoc.in.pam_servicebackport 2016-05-09 15:36:30.223715458 +0200 ++++ sudo-1.8.6p7/doc/sudoers.mdoc.in 2016-05-09 15:36:30.240715219 +0200 +@@ -2464,6 +2464,26 @@ This option is no longer supported. + The path to the noexec file should now be set in the + .Pa @sysconfdir@/sudo.conf + file. ++.It pam_login_service ++On systems that use PAM for authentication, this is the service ++name used when the ++.Fl i ++option is specified. ++The default value is ++.Dq Li @pam_login_service@ . ++See the description of ++.Em pam_service ++for more information. ++.It pam_service ++On systems that use PAM for authentication, the service name ++specifies the PAM policy to apply. ++This usually corresponds to an entry in the ++.Pa pam.conf ++file or a file in the ++.Pa /etc/pam.d ++directory. ++The default value is ++.Dq Li sudo . + .It passprompt + The default prompt to use when asking for a password; can be overridden via the + .Fl p +diff -up sudo-1.8.6p7/plugins/sudoers/auth/pam.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/auth/pam.c +--- sudo-1.8.6p7/plugins/sudoers/auth/pam.c.pam_servicebackport 2016-05-09 15:36:30.202715752 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/auth/pam.c 2016-05-09 15:36:30.240715219 +0200 +@@ -90,12 +90,8 @@ sudo_pam_init(struct passwd *pw, sudo_au + if (auth != NULL) + auth->data = (void *) &pam_status; + pam_conv.conv = converse; +-#ifdef HAVE_PAM_LOGIN +- if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) +- pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh); +- else +-#endif +- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); ++ pam_status = pam_start(ISSET(sudo_mode, MODE_LOGIN_SHELL) ? ++ def_pam_login_service : def_pam_service, pw->pw_name, &pam_conv, &pamh); + if (pam_status != PAM_SUCCESS) { + log_error(USE_ERRNO|NO_MAIL, _("unable to initialize PAM")); + debug_return_int(AUTH_FATAL); +diff -up sudo-1.8.6p7/plugins/sudoers/defaults.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/defaults.c +--- sudo-1.8.6p7/plugins/sudoers/defaults.c.pam_servicebackport 2016-05-09 15:36:30.234715304 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/defaults.c 2016-05-09 15:36:30.240715219 +0200 +@@ -424,6 +424,13 @@ init_defaults(void) + def_env_reset = ENV_RESET; + def_set_logname = true; + def_closefrom = STDERR_FILENO + 1; ++ def_pam_service = estrdup("sudo"); ++#ifdef HAVE_PAM_LOGIN ++ def_pam_login_service = estrdup("sudo-i"); ++#else ++ def_pam_login_service = estrdup("sudo"); ++#endif ++ + + /* Syslog options need special care since they both strings and ints */ + #if (LOGGING & SLOG_SYSLOG) +diff -up sudo-1.8.6p7/plugins/sudoers/def_data.c.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.c +--- sudo-1.8.6p7/plugins/sudoers/def_data.c.pam_servicebackport 2016-05-09 15:36:30.234715304 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/def_data.c 2016-05-09 15:36:30.240715219 +0200 +@@ -363,6 +363,14 @@ struct sudo_defs_types sudo_defs_table[] + N_("Use both user and host/domain fields when matching netgroups"), + NULL, + }, { ++ "pam_service", T_STR, ++ N_("PAM service name to use"), ++ NULL, ++ }, { ++ "pam_login_service", T_STR, ++ N_("PAM service name to use for login shells"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.6p7/plugins/sudoers/def_data.h.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.h +--- sudo-1.8.6p7/plugins/sudoers/def_data.h.pam_servicebackport 2016-05-09 15:36:30.235715289 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/def_data.h 2016-05-09 15:36:30.240715219 +0200 +@@ -168,6 +168,11 @@ + #define I_LEGACY_GROUP_PROCESSING 83 + #define def_netgroup_tuple (sudo_defs_table[84].sd_un.flag) + #define I_NETGROUP_TUPLE 84 ++#define def_pam_service (sudo_defs_table[85].sd_un.str) ++#define I_PAM_SERVICE 85 ++#define def_pam_login_service (sudo_defs_table[86].sd_un.str) ++#define I_PAM_LOGIN_SERVICE 86 ++ + + enum def_tuple { + never, +diff -up sudo-1.8.6p7/plugins/sudoers/def_data.in.pam_servicebackport sudo-1.8.6p7/plugins/sudoers/def_data.in +--- sudo-1.8.6p7/plugins/sudoers/def_data.in.pam_servicebackport 2013-02-25 20:42:44.000000000 +0100 ++++ sudo-1.8.6p7/plugins/sudoers/def_data.in 2016-05-09 15:36:30.240715219 +0200 +@@ -259,3 +259,10 @@ privs + limitprivs + T_STR + "Set of limit privileges" ++pam_service ++ T_STR ++ "PAM service name to use" ++pam_login_service ++ T_STR ++ "PAM service name to use for login shells" ++ diff --git a/SOURCES/sudo-1.8.6p7-segfault-null-group-list.patch b/SOURCES/sudo-1.8.6p7-segfault-null-group-list.patch new file mode 100644 index 0000000..609c872 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-segfault-null-group-list.patch @@ -0,0 +1,13 @@ +diff -up sudo-1.8.6p7/plugins/sudoers/match.c.segfault-null-group-list sudo-1.8.6p7/plugins/sudoers/match.c +--- sudo-1.8.6p7/plugins/sudoers/match.c.segfault-null-group-list 2016-05-11 10:22:29.201786896 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/match.c 2016-05-11 10:22:29.212786739 +0200 +@@ -164,6 +164,9 @@ runaslist_matches(struct member_list *us + int group_matched = UNSPEC; + debug_decl(runaslist_matches, SUDO_DEBUG_MATCH) + ++ if (user_list == NULL)user_list = ∅ ++ if (group_list == NULL)group_list = ∅ ++ + if (runas_pw != NULL) { + /* If no runas user or runas group listed in sudoers, use default. */ + if (tq_empty(user_list) && tq_empty(group_list)) diff --git a/SOURCES/sudo-1.8.6p7-unprivileged-list-fix.patch b/SOURCES/sudo-1.8.6p7-unprivileged-list-fix.patch new file mode 100644 index 0000000..231ac8f --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-unprivileged-list-fix.patch @@ -0,0 +1,37 @@ +diff -up sudo-1.8.6p7/plugins/sudoers/ldap.c.unprivileged-list-fix sudo-1.8.6p7/plugins/sudoers/ldap.c +--- sudo-1.8.6p7/plugins/sudoers/ldap.c.unprivileged-list-fix 2016-05-09 15:58:36.581120998 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/ldap.c 2016-05-09 15:58:36.588120900 +0200 +@@ -2494,12 +2494,12 @@ sudo_ldap_lookup(struct sudo_nss *nss, i + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || +- sudo_ldap_check_command(ld, entry, NULL)) { ++ sudo_ldap_check_command(ld, entry, NULL) == true) { + matched = true; + break; + } + } +- if (matched || user_uid == 0) { ++ if (matched == true || user_uid == 0) { + SET(ret, VALIDATE_OK); + CLR(ret, VALIDATE_NOT_OK); + if (def_authenticate) { +diff -up sudo-1.8.6p7/plugins/sudoers/sssd.c.unprivileged-list-fix sudo-1.8.6p7/plugins/sudoers/sssd.c +--- sudo-1.8.6p7/plugins/sudoers/sssd.c.unprivileged-list-fix 2016-05-09 15:58:36.581120998 +0200 ++++ sudo-1.8.6p7/plugins/sudoers/sssd.c 2016-05-09 15:58:36.589120886 +0200 +@@ -1062,13 +1062,13 @@ sudo_sss_lookup(struct sudo_nss *nss, in + /* Only check the command when listing another user. */ + if (user_uid == 0 || list_pw == NULL || + user_uid == list_pw->pw_uid || +- sudo_sss_check_command(handle, rule, NULL)) { ++ sudo_sss_check_command(handle, rule, NULL) == true) { + matched = true; + break; + } + } + } +- if (matched || user_uid == 0) { ++ if (matched == true || user_uid == 0) { + SET(ret, VALIDATE_OK); + CLR(ret, VALIDATE_NOT_OK); + if (def_authenticate) { diff --git a/SOURCES/sudo-1.8.6p7-visudocontent.patch b/SOURCES/sudo-1.8.6p7-visudocontent.patch new file mode 100644 index 0000000..1177797 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-visudocontent.patch @@ -0,0 +1,20 @@ +diff -up ./plugins/sudoers/visudo.c.fix ./plugins/sudoers/visudo.c +--- ./plugins/sudoers/visudo.c.fix 2015-09-15 10:00:25.957642667 +0200 ++++ ./plugins/sudoers/visudo.c 2015-09-15 12:37:43.478306234 +0200 +@@ -479,6 +479,7 @@ reparse_sudoers(char *editor, char *args + * Parse the edited sudoers files and do sanity checking + */ + do { ++ parse_error = NULL; + sp = tq_first(&sudoerslist); + last = tq_last(&sudoerslist); + fp = fopen(sp->tpath, "r+"); +@@ -544,7 +545,7 @@ reparse_sudoers(char *editor, char *args + continue; + edit_sudoers(sp, editor, args, errorlineno); + } +- } while (parse_error && sp != NULL); ++ } while (parse_error); + + debug_return; + } diff --git a/SOURCES/sudo-ldap.conf b/SOURCES/sudo-ldap.conf new file mode 100644 index 0000000..d8f8e4d --- /dev/null +++ b/SOURCES/sudo-ldap.conf @@ -0,0 +1,86 @@ +## BINDDN DN +## The BINDDN parameter specifies the identity, in the form of a Dis‐ +## tinguished Name (DN), to use when performing LDAP operations. If +## not specified, LDAP operations are performed with an anonymous +## identity. By default, most LDAP servers will allow anonymous +## access. +## +#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +## BINDPW secret +## The BINDPW parameter specifies the password to use when performing +## LDAP operations. This is typically used in conjunction with the +## BINDDN parameter. +## +#bindpw secret + +## SSL start_tls +## If the SSL parameter is set to start_tls, the LDAP server connec‐ +## tion is initiated normally and TLS encryption is begun before the +## bind credentials are sent. This has the advantage of not requiring +## a dedicated port for encrypted communications. This parameter is +## only supported by LDAP servers that honor the start_tls extension, +## such as the OpenLDAP and Tivoli Directory servers. +## +#ssl start_tls + +## TLS_CACERTFILE file name +## The path to a certificate authority bundle which contains the cer‐ +## tificates for all the Certificate Authorities the client knows to +## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ +## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries +## use the same certificate database for CA and client certificates +## (see TLS_CERT). +## +#tls_cacertfile /path/to/CA.crt + +## TLS_CHECKPEER on/true/yes/off/false/no +## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ +## cated to be verified. If the server's TLS certificate cannot be +## verified (usually because it is signed by an unknown certificate +## authority), sudo will be unable to connect to it. If TLS_CHECKPEER +## is disabled, no check is made. Note that disabling the check cre‐ +## ates an opportunity for man-in-the-middle attacks since the +## server's identity will not be authenticated. If possible, the CA's +## certificate should be installed locally so it can be verified. +## This option is not supported by the Tivoli Directory Server LDAP +## libraries. +#tls_checkpeer yes + +## +## URI ldap[s]://[hostname[:port]] ... +## Specifies a whitespace-delimited list of one or more +## URIs describing the LDAP server(s) to connect to. +## +#uri ldap://ldapserver + +## +## SUDOERS_BASE base +## The base DN to use when performing sudo LDAP queries. +## Multiple SUDOERS_BASE lines may be specified, in which +## case they are queried in the order specified. +## +#sudoers_base ou=SUDOers,dc=example,dc=com + +## +## BIND_TIMELIMIT seconds +## The BIND_TIMELIMIT parameter specifies the amount of +## time to wait while trying to connect to an LDAP server. +## +#bind_timelimit 30 + +## +## TIMELIMIT seconds +## The TIMELIMIT parameter specifies the amount of time +## to wait for a response to an LDAP query. +## +#timelimit 30 + +## +## SUDOERS_DEBUG debug_level +## This sets the debug level for sudo LDAP queries. Debugging +## information is printed to the standard error. A value of 1 +## results in a moderate amount of debugging information. +## A value of 2 shows the results of the matches themselves. +## +#sudoers_debug 1 diff --git a/SOURCES/sudo.conf b/SOURCES/sudo.conf new file mode 100644 index 0000000..3047842 --- /dev/null +++ b/SOURCES/sudo.conf @@ -0,0 +1,57 @@ +# +# Default /etc/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# Sudo plugins: +# +# The plugin_path is relative to ${prefix}/libexec unless fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so + +# +# Sudo askpass: +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own passpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo noexec: +# +# Path to a shared library containing dummy versions of the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support C or its equivalent. +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo_noexec.so + +# +# Core dumps: +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable +# +Set disable_coredump false diff --git a/SOURCES/sudoers b/SOURCES/sudoers new file mode 100644 index 0000000..9737a8b --- /dev/null +++ b/SOURCES/sudoers @@ -0,0 +1,111 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 9efa9d9..ad1cab7 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,14 +1,14 @@ Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.6p7 -Release: 17%{?dist} +Release: 20%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz -Source1: sudo-1.8.6p7-14-sudoers -Source2: sudo-1.7.4p5-sudo-ldap.conf -Source3: sudo-1.8.6p3-sudo.conf +Source1: sudoers +Source2: sudo-ldap.conf +Source3: sudo.conf Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: /etc/pam.d/system-auth, vim-minimal @@ -116,8 +116,34 @@ Patch41: sudo-1.8.6p7-legacy-group-processing.patch Patch42: sudo-1.8.6p7-newbase64decoder.patch # 1183818 - [RFE] store checksum alongside the command being permitted Patch43: sudo-1.8.6p7-digestmessagesfix.patch -# 1308495 - closefrom_override sudo option not working +# 1297062 - closefrom_override sudo option not working Patch44: sudo-1.8.6p7-closefrom-override-fix.patch +# 1334360 - sudo option mail_no_user doesn't work +Patch45: sudo-1.8.6p7-ldapusermatchfix.patch +# 1334331 - [RFE] Implement sudoers option to change netgroup processing semantics +Patch46: sudo-1.8.6p7-netgroup_tuple.patch +# 1247230 - Backport pam_service and pam_login_service sudoers options +Patch47: sudo-1.8.6p7-pam_servicebackport.patch +# 1261998 - visudo accept non valid content +Patch48: sudo-1.8.6p7-visudocontent.patch +# 1313364 - non-root user can list privileges of other users +Patch49: sudo-1.8.6p7-unprivileged-list-fix.patch +# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure +Patch50: sudo-1.8.6p7-logsudouser.patch +# 1268958 - sudo - cmnd_no_wait can cause child processes to ignore SIGPIPE +Patch51: sudo-1.8.6p3-sigpipefix.patch +# 1335039 - sudo segfault segfault at 8 i error 4 in sudoers.so[7f4a87ef1000+45000] +Patch52: sudo-1.8.6p7-segfault-null-group-list.patch +# 1335042 - sudo command throwing error when defaults records are added in ldap based on sudoers2ldif generated ldif. +Patch53: sudo-1.8.6p7-ldap_sssd_parse_whitespaces.patch +# 1335045 - getcwd failed, resulting in Null pointer exception +Patch54: sudo-1.8.6p7-null_exception.patch +# 1273243 - sudo improperly sets RLIMIT_NPROC=0 when using Defaults cmnd_no_wait +Patch55: sudo-1.8.6p7-nproc-nowait.patch +# 1299883 - sudo: document raciness of the digest check +Patch56: sudo-1.8.6p7-digest_race_doc.patch +# 1350828 - [RHEL7] visudo ignores -q flag +Patch57: sudo-1.8.6p3-visudo-quiet-flag.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -186,6 +212,19 @@ plugins that use %{name}. %patch42 -p1 -b .newbase64decoder %patch43 -p1 -b .digestmessagesfix %patch44 -p1 -b .closefrom-override-fix +%patch45 -p1 -b .ldapusermatchfix +%patch46 -p1 -b .netgroup_tuple +%patch47 -p1 -b .pam_servicebackport +%patch48 -p1 -b .visudocontent +%patch49 -p1 -b .unprivileged-list-fix +%patch50 -p1 -b .logsudouser +%patch51 -p1 -b .sigpipefix +%patch52 -p1 -b .segfault-null-group-list +%patch53 -p1 -b .ldap_sssd_parse_whitespaces +%patch54 -p1 -b .null_exception +%patch55 -p1 -b .nproc-nowait +%patch56 -p1 -b .digest_race_doc +%patch57 -p1 -b .visudo-quiet-flag %build autoreconf -I m4 -fv --install @@ -307,9 +346,45 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog -* Wed Feb 17 2016 Daniel Kopecek - 1.8.6p7-17 +* Tue Jul 19 2016 Daniel Kopecek - 1.8.6p7-20 +- RHEL 7.3 erratum + - fixed visudo's -q flag + Resolves: rhbz#1350828 + +* Tue Jun 14 2016 Daniel Kopecek - 1.8.6p7-19 +- RHEL 7.3 erratum + - removed INPUTRC from env_keep to prevent a potential info leak + Resolves: rhbz#1340700 + +* Wed May 11 2016 Daniel Kopecek - 1.8.6p7-18 +- RHEL 7.3 erratum + - removed requiretty flag from the default sudoers policy + - backported pam_service and pam_login_service defaults options + - implemented netgroup_tuple defaults option for changing netgroup + processing semantics + - fixed user matching logic in the LDAP nss backend + - don't allow visudo to accept an invalid sudoers file + - fixed a bug causing that non-root users can list privileges of + other users + - modified digest check documentation to mention the raciness of + the checking mechanism + Resolves: rhbz#1196451 + Resolves: rhbz#1247230 + Resolves: rhbz#1334331 + Resolves: rhbz#1334360 + Resolves: rhbz#1261998 + Resolves: rhbz#1313364 + Resolves: rhbz#1312486 + Resolves: rhbz#1268958 + Resolves: rhbz#1335039 + Resolves: rhbz#1335042 + Resolves: rhbz#1335045 + Resolves: rhbz#1273243 + Resolves: rhbz#1299883 + +* Mon Feb 15 2016 Daniel Kopecek - 1.8.6p7-17 - fixed bug in closefrom_override defaults option - Resolves: rhbz#1308495 + Resolves: rhbz#1297062 * Tue Sep 1 2015 Daniel Kopecek - 1.8.6p7-16 - RHEL 7.2 erratum