Summary: Allows restricted root access for specified users Name: sudo Version: 1.8.23 Release: 10%{?dist}.3 License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz Source1: sudoers Source2: sudo-ldap.conf Source3: sudo.conf Requires: /etc/pam.d/system-auth Requires: /usr/bin/vi BuildRequires: /usr/sbin/sendmail BuildRequires: autoconf BuildRequires: automake BuildRequires: bison BuildRequires: flex BuildRequires: gettext BuildRequires: groff BuildRequires: libtool BuildRequires: audit-libs-devel BuildRequires: libcap-devel BuildRequires: libgcrypt-devel BuildRequires: libgcrypt-devel BuildRequires: libselinux-devel BuildRequires: openldap-devel BuildRequires: pam-devel BuildRequires: zlib-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch # configure.in fix Patch2: sudo-1.7.2p1-envdebug.patch # 881258 - rpmdiff: added missing sudo-ldap.conf manpage Patch3: sudo-1.8.23-sudoldapconfman.patch # 1247591 - Sudo taking a long time when user information is stored externally. Patch4: sudo-1.8.23-legacy-group-processing.patch # 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option Patch5: sudo-1.8.23-ldapsearchuidfix.patch # 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure Patch6: sudo-1.8.6p7-logsudouser.patch # 840980 - sudo creates a new parent process # Adds cmnd_no_wait Defaults option Patch7: sudo-1.8.23-nowaitopt.patch # 1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers # This is fix of a regression in the referenced feature request. It was fixed # in newer versions of sudo and we backport it to prevent future regression # bz in RHEL. The feature itself was delivered via the rebase to 1.8.23. Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch # 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch # 1647678 - sudo access denied with pam_access and pts terminal configurations # 1672876 - Backporting sudo bug with expired passwords - this is included in in this patch Patch10: sudo-1.8.23-pam_access-and-terminals.patch # 1665285 - Problem with sudo-1.8.23 and 'who am i' Patch11: sudo-1.8.23-who-am-i.patch # 1738841 - Crash in do_syslog() while doing sudoedit Patch12: sudo-1.8.23-fix_empty_username_in_do_syslog.patch # 1760694 - CVE-2019-14287 sudo: Privilege escalation via 'Runas' specification with 'ALL' keyword [rhel-7.8] Patch13: sudo-1.8.28-CVE-strtouid.patch Patch14: sudo-1.8.28-CVE-strtouid-test.patch # 1798095 - CVE-2019-18634 sudo: Stack based buffer overflow in when pwfeedback is enabled [rhel-7.8] Patch15: sudo-1.8.29-CVE-2019-18634-part1.patch Patch16: sudo-1.8.29-CVE-2019-18634-part2.patch # 1788196 - sudo allows privilege escalation with expire password Patch17: sudo-1.8.29-expired-password-part1.patch Patch18: sudo-1.8.29-expired-password-part2.patch # 1917729 - EMBARGOED CVE-2021-3156 sudo: Heap-buffer overflow in argument parsing [rhel-7.9.z] Patch19: sudo-1.8.31-CVE-2021-3156.patch # 1972820 - Defaults use_pty plus SELinux ROLE in user specification breaks terminal Patch20: sudo-1.9.7-tty-relabel1.patch Patch21: sudo-1.9.7-tty-relabel2.patch # 2161217 - EMBARGOED CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user [rhel-8.2.0] Patch24: sudo-1.9.12-CVE-2023-22809-whitelist.patch Patch25: sudo-1.9.12-CVE-2023-22809-backports.patch Patch26: sudo-1.9.12-CVE-2023-22809.patch %description Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis. It is not a replacement for the shell. Features include: the ability to restrict what commands a user may run on a per-host basis, copious logging of each command (providing a clear audit trail of who did what), a configurable timeout of the sudo command, and the ability to use the same configuration file (sudoers) on many different machines. %package devel Summary: Development files for %{name} Group: Development/Libraries Requires: %{name} = %{version}-%{release} %description devel The %{name}-devel package contains header files developing sudo plugins that use %{name}. %prep %setup -q %patch1 -p1 -b .strip %patch2 -p1 -b .envdebug %patch3 -p1 -b .sudoldapconfman %patch4 -p1 -b .legacy-group-processing %patch5 -p1 -b .ldapsearchuidfix %patch6 -p1 -b .logsudouser %patch7 -p1 -b .nowaitopt %patch8 -p1 -b .pam-mgmt-ignore-errors %patch9 -p1 -b .defaults-double-quote-fix %patch10 -p1 -b .pam_access-and-terminals %patch11 -p1 -b .who-am-i %patch12 -p1 -b .do_syslog-username %patch13 -p1 -b .CVE-strtouid %patch14 -p1 -b .CVE-strtouid-test %patch15 -p1 -b .CVE-2019-18634-part1 %patch16 -p1 -b .CVE-2019-18634-part2 %patch17 -p1 -b .expired-password-part1 %patch18 -p1 -b .expired-password-part2 %patch19 -p1 -b .heap-buffer %patch20 -p1 -b .tty1 %patch21 -p1 -b .tty2 %patch24 -p1 -b .whitelist %patch25 -p1 -b .backports %patch26 -p1 -b .cve %build autoreconf -I m4 -fv --install %ifarch s390 s390x sparc64 F_PIE=-fPIE %else F_PIE=-fpie %endif export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHLIB_MODE=755 %configure \ --prefix=%{_prefix} \ --sbindir=%{_sbindir} \ --libdir=%{_libdir} \ --docdir=%{_datadir}/doc/%{name}-%{version} \ --with-logging=syslog \ --with-logfac=authpriv \ --with-pam \ --with-pam-login \ --with-editor=/usr/bin/vi \ --with-env-editor \ --enable-gcrypt \ --with-ignore-dot \ --with-tty-tickets \ --with-ldap \ --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ --with-linux-audit \ --with-sssd make %check make check %install rm -rf %{buildroot} # Update README.LDAP (#736653) sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP make install DESTDIR="%{buildroot}" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` chmod 755 %{buildroot}%{_bindir}/* %{buildroot}%{_sbindir}/* install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo/lectured install -p -d -m 750 %{buildroot}%{_sysconfdir}/sudoers.d install -p -c -m 0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers install -p -c -m 0640 %{SOURCE3} %{buildroot}%{_sysconfdir}/sudo.conf install -p -c -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudo-ldap.conf # Remove upstream sudoers file rm -f %{buildroot}%{_sysconfdir}/sudoers.dist # Remove all .la files find %{buildroot} -name '*.la' -exec rm -f {} ';' %find_lang sudo %find_lang sudoers cat sudo.lang sudoers.lang > sudo_all.lang rm sudo.lang sudoers.lang mkdir -p %{buildroot}%{_sysconfdir}/pam.d cat > %{buildroot}%{_sysconfdir}/pam.d/sudo << EOF #%%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session include system-auth EOF cat > %{buildroot}%{_sysconfdir}/pam.d/sudo-i << EOF #%%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session include sudo EOF %clean rm -rf %{buildroot} %files -f sudo_all.lang %defattr(-,root,root) %attr(0440,root,root) %config(noreplace) %{_sysconfdir}/sudoers %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf %attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d/ %config(noreplace) %{_sysconfdir}/pam.d/sudo %config(noreplace) %{_sysconfdir}/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf %dir %{_localstatedir}/db/sudo %dir %{_localstatedir}/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo %{_bindir}/sudoedit %{_bindir}/cvtsudoers %attr(0111,root,root) %{_bindir}/sudoreplay %attr(0755,root,root) %{_sbindir}/visudo %attr(0755,root,root) %{_libexecdir}/sudo/sesh %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? %{_libexecdir}/sudo/libsudo_util.so.? %{_libexecdir}/sudo/libsudo_util.so %{_mandir}/man5/sudoers.5* %{_mandir}/man5/sudoers.ldap.5* %{_mandir}/man5/sudo-ldap.conf.5* %{_mandir}/man5/sudo.conf.5* %{_mandir}/man8/sudo.8* %{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/visudo.8* %{_mandir}/man1/cvtsudoers.1.gz %{_mandir}/man5/sudoers_timestamp.5.gz %dir %{_docdir}/sudo-%{version} %{_docdir}/sudo-%{version}/* # Make sure permissions are ok even if we're updating %post /bin/chmod 0440 %{_sysconfdir}/sudoers || : %files devel %defattr(-,root,root,-) %doc plugins/sample/sample_plugin.c %{_includedir}/sudo_plugin.h %{_mandir}/man8/sudo_plugin.8* %changelog * Wed Jan 11 2023 Radovan Sroka - 1.8.23-10.3 RHEL 7.9.Z ERRATUM - CVE-2023-22809 sudo: arbitrary file write with privileges of the RunAs user Resolves: rhbz#2161222 * Fri Jul 09 2021 Radovan Sroka - 1.8.23-10.2 - RHEL 7.9.Z ERRATUM - defaults use_pty plus SELinux ROLE in user specification breaks terminal Resolves: rhbz#1972820 * Wed Jan 20 2021 Radovan Sroka - 1.8.23-10.1 - RHEL 7.9.Z ERRATUM - CVE-2021-3156 Resolves: rhbz#1917729 * Wed Mar 25 2020 Radovan Sroka - 1.8.23-10 - RHEL-7.9 - sudo allows privilege escalation with expire password Resolves: rhbz#1788196 * Wed Feb 05 2020 Radovan Sroka - 1.8.23-9 - RHEL-7.8 - CVE-2019-18634 Resolves: rhbz#1798095 * Thu Oct 17 2019 Marek Tamaskovic 1.8.23-8 - RHEL-7.8 - fixed CVE-2019-14287 Resolves: rhbz#1760695 * Thu Aug 22 2019 Marek Tamaskovic 1.8.23-7 - RHEL-7.8 erratum Resolves: rhbz#1738841 Crash in do_syslog() while doing sudoedit * Mon Aug 19 2019 Marek Tamaskovic 1.8.23-6 - RHEL-7.8 erratum Resolves: rhbz#1647678 sudo access denied with pam_access and pts terminal configurations * Mon Aug 12 2019 Marek Tamaskovic 1.8.23-5 - RHEL-7.8 erratum Resolves: rhbz#1711997 sudo is super slow when /etc/security/limits.conf contains many entries * Wed Feb 20 2019 Radovan Sroka 1.8.23-4 - RHEL-7.7 erratum Resolves: rhbz#1672876 - Backporting sudo bug with expired passwords Resolves: rhbz#1665285 - Problem with sudo-1.8.23 and 'who am i' * Mon Sep 24 2018 Daniel Kopecek 1.8.23-3 - RHEL-7.6 erratum Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version * Fri Sep 21 2018 Daniel Kopecek 1.8.23-2 - RHEL-7.6 erratum Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers Resolves: rhbz#1506025 - Latest update broke sudo for ldap users. Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets * Thu Jun 28 2018 Daniel Kopecek 1.8.23-1 - RHEL-7.6 erratum Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version (1.8.23) Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets Resolves: rhbz#1506025 - Latest update broke sudo for ldap users. Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers Resolves: rhbz#1548380 - RFE: Create flag to filter to sudo -l output Resolves: rhbz#1510002 - Ensure that the command input (stdin) eating behaviour of Default log_input is documented Resolves: rhbz#1596032 - Why does sudo package depend on vim-minimal? * Thu Nov 30 2017 Radovan Sroka 1.8.19p2-13 - RHEL 7.5 erratum - Fixed sudo -l checking results whether user should be authenticated - Enabled LDAP filter patch - Fixed double free in sssd Resolves: rhbz#1505409 Resolves: rhbz#1511850 Resolves: rhbz#1518104 * Mon Oct 02 2017 Radovan Sroka 1.8.19p2-12 - RHEL 7.5 erratum - Fixed exit codes for `sudo -l -U ` - Fixed truncated output when log_output is enabled - Updated use_pty and IO logging manpage Resolves: rhbz#1458696 Resolves: rhbz#1454571 Resolves: rhbz#1490358 - Fixed second pass LDAP filter expression in the sudoers ldap backend - inclomplete patch for rhbz#1485397 * Mon Aug 14 2017 Daniel Kopecek - 1.8.19p2-11 - Moved libsudo_util.so from the -devel sub-package to main package Resolves: rhbz#1481225 * Wed Jun 07 2017 Daniel Kopecek - 1.8.19p2-10 - RHEL 7.4 erratum - Fix CVE-2017-1000368 Resolves: rhbz#1459411 * Tue Jun 06 2017 Radovan Sroka - 1.8.19p2-9 - RHEL 7.4 erratum - removed patch for output truncation (1454571) which introduced regression Resolves: rhbz#1360687 * Thu May 25 2017 Jakub Jelen - 1.8.19p2-8 - RHEL 7.4 erratum - Fixes CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing Resolves: rhbz#1455402 * Tue May 23 2017 Daniel Kopecek - 1.8.19p2-7 - RHEL 7.4 erratum - added patch to fix output truncation (in some cases) when log_output option is enabled Resolves: rhbz#1454571 * Thu May 04 2017 Radovan Sroka - 1.8.19p2-6 - RHEL 7.4 erratum - added patch that fixes lecture option used as bolean Resolves rhbz#1360687 * Tue Apr 25 2017 Radovan Sroka - 1.8.19p2-5 - RHEL 7.4 erratum - added doc patch about sudo lookup issue Resolves: rhbz#1293306 - added test suite patch Resolves: rhbz#1360687 - fixed use after free fqdn problem Resolves: rhbz#1360687 * Tue Mar 21 2017 Tomas Sykora - 1.8.19p2-4 - RHEL 7.4 erratum - fixed cmnd_no_wait patch - backported iolog_flush sudoers default Resolves: rhbz#1369856 Resolves: rhbz#1425853 * Wed Mar 08 2017 Tomas Sykora - 1.8.19p2-3 - RHEL 7.4 eratum - Fixes semicolon typo in digest backport patch from the previous build Resolves: rhbz#1360687 * Wed Mar 08 2017 Tomas Sykora - 1.8.19p2-2 - RHEL 7.4 erratum - Fixes coverity scan issues created by our patches: - fixed resource leaks and a compiler warning in digest backport patch - removed needless code from cmnd_no_wait patch causing clang warning - format of the last changelog message causes problems to rhpkg push, so don't use that as a commit message Resolves: rhbz#1360687 * Wed Mar 01 2017 Tomas Sykora - 1.8.19p2-1 - RHEL 7.4 erratum - Resolves: rhbz#1360687 - rebase to 1.8.19p2 - Resolves: rhbz#1123526 - performance improvement - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command was runnable even if denied by sudoers when using LDAP or SSSD backend. - Resolves: rhbz#1387303 - add ignore_iolog_errors option - Resolves: rhbz#1389360 - wrong log file group ownership - Resolves: rhbz#1389735 - add iolog_group, iolog_mode, iolog_user options - Resolves: rhbz#1397169 - maxseq and ignore_iolog_errors options - Resolves: rhbz#1403051 - add support for querying netgroups directly via LDAP - Resolves: rhbz#1410086 - race condition while creating /var/log/sudo-io dir - Resolves: rhbz#1413160 - add ignore_unknown_defaults flag - Resolves: rhbz#1254772 - ability to export sudoers in json format - Resolves: rhbz#1417187 - wrong reference to config file in systax error message - Resolves: rhbz#1424575 - visudo was not printing severity of error/warning message * Wed Nov 23 2016 Daniel Kopecek - 1.8.6p7-21 - Update noexec syscall blacklist - Fixes CVE-2016-7032 and CVE-2016-7076 Resolves: rhbz#1391940 * Tue Jul 19 2016 Daniel Kopecek - 1.8.6p7-20 - RHEL 7.3 erratum - fixed visudo's -q flag Resolves: rhbz#1350828 * Tue Jun 14 2016 Daniel Kopecek - 1.8.6p7-19 - RHEL 7.3 erratum - removed INPUTRC from env_keep to prevent a potential info leak Resolves: rhbz#1340700 * Wed May 11 2016 Daniel Kopecek - 1.8.6p7-18 - RHEL 7.3 erratum - removed requiretty flag from the default sudoers policy - backported pam_service and pam_login_service defaults options - implemented netgroup_tuple defaults option for changing netgroup processing semantics - fixed user matching logic in the LDAP nss backend - don't allow visudo to accept an invalid sudoers file - fixed a bug causing that non-root users can list privileges of other users - modified digest check documentation to mention the raciness of the checking mechanism Resolves: rhbz#1196451 Resolves: rhbz#1247230 Resolves: rhbz#1334331 Resolves: rhbz#1334360 Resolves: rhbz#1261998 Resolves: rhbz#1313364 Resolves: rhbz#1312486 Resolves: rhbz#1268958 Resolves: rhbz#1335039 Resolves: rhbz#1335042 Resolves: rhbz#1335045 Resolves: rhbz#1273243 Resolves: rhbz#1299883 * Mon Feb 15 2016 Daniel Kopecek - 1.8.6p7-17 - fixed bug in closefrom_override defaults option Resolves: rhbz#1297062 * Tue Sep 1 2015 Daniel Kopecek - 1.8.6p7-16 - RHEL 7.2 erratum - show the digest type in warning messages Resolves: rhbz#1183818 * Tue Sep 1 2015 Daniel Kopecek - 1.8.6p7-15 - RHEL 7.2 erratum - fixed compilation of testing binaries during make check - added legacy group processing patch - replaced buggy base64 decoder with a public domain implementation Resolves: rhbz#1254621 Resolves: rhbz#1183818 Resolves: rhbz#1247591 * Tue Jul 7 2015 Daniel Kopecek - 1.8.6p7-14 - RHEL 7.2 erratum - backported command digest specification - fixed CVE-2014-9680 sudo: unsafe handling of TZ environment variable - fixed typos in sudoers.ldap man page - fixed handling of double-quoted sudoOption values in ldap, sssd sources - fixed numeric uid specification support in ldap source - fixed authentication flag logic in ldap source - added the systemctl command to the SERVICES alias in the default sudoers file Resolves: rhbz#1144446 Resolves: rhbz#1235570 Resolves: rhbz#1138259 Resolves: rhbz#1183818 Resolves: rhbz#1233607 Resolves: rhbz#1144419 Resolves: rhbz#1135539 Resolves: rhbz#1215400 * Tue Sep 30 2014 Daniel Kopecek - 1.8.6p7-13 - RHEL 7.1 erratum - fixed issues found by covscan/clang-analyzer Resolves: rhbz#1147616 * Mon Sep 29 2014 Daniel Kopecek - 1.8.6p7-12 - RHEL 7.1 erratum - don't retry authentication when ctrl-c pressed - fix double-quote processing in Defaults options - handle the "(none)" hostname correctly - SSSD: fix sudoUser netgroup specification filtering - SSSD: list correct user when -U -l specified - SSSD: show rule names on long listing (-ll) - fix infinite loop when duplicate entries are specified on the sudoers nsswitch.conf line Resolves: rhbz#1084488 Resolves: rhbz#1088464 Resolves: rhbz#1088825 Resolves: rhbz#1092499 Resolves: rhbz#1093099 Resolves: rhbz#1096813 Resolves: rhbz#1147497 Resolves: rhbz#1147557 * Wed Feb 26 2014 Daniel Kopecek - 1.8.6p7-11 - Fixed incorrect login shell path construction in sesh (thanks fkrska@redhat.com for the patch) Resolves: rhbz#1065418 * Fri Jan 24 2014 Daniel Mach - 1.8.6p7-10 - Mass rebuild 2014-01-24 * Wed Jan 15 2014 Daniel Kopecek - 1.8.6p7-9 - allow the wheel group to use sudo Resolves: rhbz#994623 * Fri Dec 27 2013 Daniel Mach - 1.8.6p7-8 - Mass rebuild 2013-12-27 * Fri Nov 08 2013 Daniel Kopecek - 1.8.6p7-7 - dropped wrong patch and fixed patch comments Resolves: rhbz#1000389 * Thu Nov 07 2013 Daniel Kopecek - 1.8.6p7-6 - fixed alias cycle detection code - added debug messages for tracing of netgroup matching - fixed aborting on realloc when displaying allowed commands - sssd: filter netgroups in the sudoUser attribute - parse uids/gids more strictly - added debug messages to trace netgroup matching Resolves: rhbz#1026904 Resolves: rhbz#1026890 Resolves: rhbz#1007014 Resolves: rhbz#1026894 Resolves: rhbz#1000389 Resolves: rhbz#994566 * Mon Aug 05 2013 Daniel Kopecek - 1.8.6p7-5 - added standalone manpage for sudo.conf and sudo-ldap.conf - spec file cleanup Resolves: rhbz#881258 * Mon Jul 29 2013 Daniel Kopecek - 1.8.6p7-4 - added RHEL 6 patches * Wed Jul 24 2013 Daniel Kopecek - 1.8.6p7-3 - synced sudoers, configure options & configuration files with expected RHEL configuration Resolves: rhbz#969373 Resolves: rhbz#971009 Resolves: rhbz#965124 Resolves: rhbz#971013 Resolves: rhbz#839705 * Thu Apr 11 2013 Daniel Kopecek - 1.8.6p7-2 - depend on /usr/sbin/sendmail instead of the sendmail package Resolves: rhbz#927842 * Thu Feb 28 2013 Daniel Kopecek - 1.8.6p7-1 - update to 1.8.6p7 - fixes CVE-2013-1775 and CVE-2013-1776 - fixed several packaging issues (thanks to ville.skytta@iki.fi) - build with system zlib. - let rpmbuild strip libexecdir/*.so. - own the %%{_docdir}/sudo-* dir. - fix some rpmlint warnings (spaces vs tabs, unescaped macros). - fix bogus %%changelog dates. * Fri Feb 15 2013 Fedora Release Engineering - 1.8.6p3-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild * Mon Nov 12 2012 Daniel Kopecek - 1.8.6p3-2 - added upstream patch for a regression - don't include arch specific files in the -devel subpackage - ship only one sample plugin in the -devel subpackage * Tue Sep 25 2012 Daniel Kopecek - 1.8.6p3-1 - update to 1.8.6p3 - drop -pipelist patch (fixed in upstream) * Thu Sep 6 2012 Daniel Kopecek - 1.8.6-1 - update to 1.8.6 * Thu Jul 26 2012 Daniel Kopecek - 1.8.5-4 - added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com) - re-enabled SSSD support - removed libsss_sudo dependency * Tue Jul 24 2012 Bill Nottingham - 1.8.5-3 - flip sudoers2ldif executable bit after make install, not in setup * Sat Jul 21 2012 Fedora Release Engineering - 1.8.5-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild * Thu May 17 2012 Daniel Kopecek - 1.8.5-1 - update to 1.8.5 - fixed CVE-2012-2337 - temporarily disabled SSSD support * Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 - fixed problems with undefined symbols (rhbz#798517) * Wed Feb 22 2012 Daniel Kopecek - 1.8.3p1-5 - SSSD patch update * Tue Feb 7 2012 Daniel Kopecek - 1.8.3p1-4 - added SSSD support * Thu Jan 26 2012 Daniel Kopecek - 1.8.3p1-3 - added patch for CVE-2012-0809 * Sat Jan 14 2012 Fedora Release Engineering - 1.8.3p1-2 - Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild * Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 - update to 1.8.3p1 - disable output word wrapping if the output is piped * Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 - Remove execute bit from sample script in docs so we don't pull in perl * Tue Jul 12 2011 Daniel Kopecek - 1.8.1p2-1 - rebase to 1.8.1p2 - removed .sudoi patch - fixed typo: RELPRO -> RELRO - added -devel subpackage for the sudo_plugin.h header file - use default ldap configuration files again * Fri Jun 3 2011 Daniel Kopecek - 1.7.4p5-4 - build with RELRO * Wed Feb 09 2011 Fedora Release Engineering - 1.7.4p5-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild * Mon Jan 17 2011 Daniel Kopecek - 1.7.4p5-2 - rebase to 1.7.4p5 - fixed sudo-1.7.4p4-getgrouplist.patch - fixes CVE-2011-0008, CVE-2011-0010 * Tue Nov 30 2010 Daniel Kopecek - 1.7.4p4-5 - anybody in the wheel group has now root access (using password) (rhbz#656873) - sync configuration paths with the nss_ldap package (rhbz#652687) * Wed Sep 29 2010 Daniel Kopecek - 1.7.4p4-4 - added upstream patch to fix rhbz#638345 * Mon Sep 20 2010 Daniel Kopecek - 1.7.4p4-3 - added patch for #635250 - /var/run/sudo -> /var/db/sudo in .spec * Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-2 - sudo now uses /var/db/sudo for timestamps * Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-1 - update to new upstream version - new command available: sudoreplay - use native audit support - corrected license field value: BSD -> ISC * Wed Jun 2 2010 Daniel Kopecek - 1.7.2p6-2 - added patch that fixes insufficient environment sanitization issue (#598154) * Wed Apr 14 2010 Daniel Kopecek - 1.7.2p6-1 - update to new upstream version - merged .audit and .libaudit patch - added sudoers.ldap.5* to files * Mon Mar 1 2010 Daniel Kopecek - 1.7.2p5-2 - update to new upstream version * Tue Feb 16 2010 Daniel Kopecek - 1.7.2p2-5 - fixed no valid sudoers sources found (#558875) * Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-4 - audit related Makefile.in and configure.in corrections - added --with-audit configure option - removed call to libtoolize * Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-3 - fixed segfault when #include directive is used in cycles (#561336) * Fri Jan 8 2010 Ville Skyttä - 1.7.2p2-2 - Add /etc/sudoers.d dir and use it in default config (#551470). - Drop *.pod man page duplicates from docs. * Thu Jan 07 2010 Daniel Kopecek - 1.7.2p2-1 - new upstream version 1.7.2p2-1 - commented out unused aliases in sudoers to make visudo happy (#550239) * Fri Aug 21 2009 Tomas Mraz - 1.7.1-7 - rebuilt with new audit * Thu Aug 20 2009 Daniel Kopecek 1.7.1-6 - moved secure_path from compile-time option to sudoers file (#517428) * Sun Jul 26 2009 Fedora Release Engineering - 1.7.1-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild * Thu Jul 09 2009 Daniel Kopecek 1.7.1-4 - moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch) - epoch number sync * Mon Jun 22 2009 Daniel Kopecek 1.7.1-1 - updated sudo to version 1.7.1 - fixed small bug in configure.in (sudo-1.7.1-conffix.patch) * Tue Feb 24 2009 Daniel Kopecek 1.6.9p17-6 - fixed building with new libtool - fix for incorrect handling of groups in Runas_User - added /usr/local/sbin to secure-path * Tue Jan 13 2009 Daniel Kopecek 1.6.9p17-3 - build with sendmail installed - Added /usr/local/bin to secure-path * Tue Sep 02 2008 Peter Vrabec 1.6.9p17-2 - adjust audit patch, do not scream when kernel is compiled without audit netlink support (#401201) * Fri Jul 04 2008 Peter Vrabec 1.6.9p17-1 - upgrade * Wed Jun 18 2008 Peter Vrabec 1.6.9p13-7 - build with newer autoconf-2.62 (#449614) * Tue May 13 2008 Peter Vrabec 1.6.9p13-6 - compiled with secure path (#80215) * Mon May 05 2008 Peter Vrabec 1.6.9p13-5 - fix path to updatedb in /etc/sudoers (#445103) * Mon Mar 31 2008 Peter Vrabec 1.6.9p13-4 - include ldap files in rpm package (#439506) * Thu Mar 13 2008 Peter Vrabec 1.6.9p13-3 - include [sudo] in password prompt (#437092) * Tue Mar 04 2008 Peter Vrabec 1.6.9p13-2 - audit support improvement * Thu Feb 21 2008 Peter Vrabec 1.6.9p13-1 - upgrade to the latest upstream release * Wed Feb 06 2008 Peter Vrabec 1.6.9p12-1 - upgrade to the latest upstream release - add selinux support * Mon Feb 04 2008 Dennis Gilmore 1.6.9p4-6 - sparc64 needs to be in the -fPIE list with s390 * Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 - fix complains about audit_log_user_command(): Connection refused (#401201) * Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 - Rebuild for deps * Wed Dec 05 2007 Release Engineering - 1.6.9p4-3 - Rebuild for openssl bump * Thu Aug 30 2007 Peter Vrabec 1.6.9p4-2 - fix autotools stuff and add audit support * Mon Aug 20 2007 Peter Vrabec 1.6.9p4-1 - upgrade to upstream release * Thu Apr 12 2007 Peter Vrabec 1.6.8p12-14 - also use getgrouplist() to determine group membership (#235915) * Mon Feb 26 2007 Peter Vrabec 1.6.8p12-13 - fix some spec file issues * Thu Dec 14 2006 Peter Vrabec 1.6.8p12-12 - fix rpmlint issue * Thu Oct 26 2006 Peter Vrabec 1.6.8p12-11 - fix typo in sudoers file (#212308) * Sun Oct 01 2006 Jesse Keating - 1.6.8p12-10 - rebuilt for unwind info generation, broken in gcc-4.1.1-21 * Thu Sep 21 2006 Peter Vrabec 1.6.8p12-9 - fix sudoers file, X apps didn't work (#206320) * Tue Aug 08 2006 Peter Vrabec 1.6.8p12-8 - use Red Hat specific default sudoers file * Sun Jul 16 2006 Karel Zak 1.6.8p12-7 - fix #198755 - make login processes (sudo -i) initialise session keyring (thanks for PAM config files to David Howells) - add IPv6 support (patch by Milan Zazrivec) * Wed Jul 12 2006 Jesse Keating - 1.6.8p12-6.1 - rebuild * Mon May 29 2006 Karel Zak 1.6.8p12-6 - fix #190062 - "ssh localhost sudo su" will show the password in clear * Tue May 23 2006 Karel Zak 1.6.8p12-5 - add LDAP support (#170848) * Fri Feb 10 2006 Jesse Keating - 1.6.8p12-4.1 - bump again for double-long bug on ppc(64) * Wed Feb 8 2006 Karel Zak 1.6.8p12-4 - reset env. by default * Tue Feb 07 2006 Jesse Keating - 1.6.8p12-3.1 - rebuilt for new gcc4.1 snapshot and glibc changes * Mon Jan 23 2006 Dan Walsh 1.6.8p12-3 - Remove selinux patch. It has been decided that the SELinux patch for sudo is - no longer necessary. In tageted policy it had no effect. In strict/MLS policy - We require the person using sudo to execute newrole before using sudo. * Fri Dec 09 2005 Jesse Keating - rebuilt * Fri Nov 25 2005 Karel Zak 1.6.8p12-1 - new upstream version 1.6.8p12 * Tue Nov 8 2005 Karel Zak 1.6.8p11-1 - new upstream version 1.6.8p11 * Thu Oct 13 2005 Tomas Mraz 1.6.8p9-6 - use include instead of pam_stack in pam config * Tue Oct 11 2005 Karel Zak 1.6.8p9-5 - enable interfaces in selinux patch - merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch * Mon Sep 19 2005 Karel Zak 1.6.8p9-4 - fix debuginfo * Mon Sep 19 2005 Karel Zak 1.6.8p9-3 - fix #162623 - sesh hangs when child suspends * Mon Aug 1 2005 Dan Walsh 1.6.8p9-2 - Add back in interfaces call, SELinux has been fixed to work around * Tue Jun 21 2005 Karel Zak 1.6.8p9-1 - new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution) * Tue May 24 2005 Karel Zak 1.6.8p8-2 - fix #154511 - sudo does not use limits.conf * Mon Apr 4 2005 Thomas Woerner 1.6.8p8-1 - new version 1.6.8p8: new sudoedit and sudo_noexec * Wed Feb 9 2005 Thomas Woerner 1.6.7p5-31 - rebuild * Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 - added missing BuildRequires for libselinux-devel (#132883) * Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 - Fix missing param error in sesh * Mon Sep 27 2004 Dan Walsh 1.6.7p5-29 - Remove full patch check from sesh * Thu Jul 8 2004 Dan Walsh 1.6.7p5-28 - Fix selinux patch to switch to root user * Tue Jun 15 2004 Elliot Lee - rebuilt * Tue Apr 13 2004 Dan Walsh 1.6.7p5-26 - Eliminate tty handling from selinux * Thu Apr 1 2004 Thomas Woerner 1.6.7p5-25 - fixed spec file: sesh in file section with selinux flag (#119682) * Tue Mar 30 2004 Colin Walters 1.6.7p5-24 - Enhance sesh.c to fork/exec children itself, to avoid having sudo reap all domains. - Only reinstall default signal handlers immediately before exec of child with SELinux patch * Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 - change to default to sysadm_r - Fix tty handling * Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 - Add /bin/sesh to run selinux code. - replace /bin/bash -c with /bin/sesh * Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 - Hard code to use "/bin/bash -c" for selinux * Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 - Eliminate closing and reopening of terminals, to match su. * Mon Mar 15 2004 Dan Walsh 1.6.7p5-19 - SELinux fixes to make transitions work properly * Fri Mar 5 2004 Thomas Woerner 1.6.7p5-18 - pied sudo * Fri Feb 13 2004 Elliot Lee - rebuilt * Tue Jan 27 2004 Dan Walsh 1.6.7p5-16 - Eliminate interfaces call, since this requires big SELinux privs - and it seems to be useless. * Tue Jan 27 2004 Karsten Hopp 1.6.7p5-15 - visudo requires vim-minimal or setting EDITOR to something useful (#68605) * Mon Jan 26 2004 Dan Walsh 1.6.7p5-14 - Fix is_selinux_enabled call * Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 - Clean up patch on failure * Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 - Remove sudo.te for now. * Fri Jan 2 2004 Dan Walsh 1.6.7p5-11 - Fix usage message * Mon Dec 22 2003 Dan Walsh 1.6.7p5-10 - Clean up sudo.te to not blow up if pam.te not present * Thu Dec 18 2003 Thomas Woerner - added missing BuildRequires for groff * Tue Dec 16 2003 Jeremy Katz 1.6.7p5-9 - remove left-over debugging code * Tue Dec 16 2003 Dan Walsh 1.6.7p5-8 - Fix terminal handling that caused Sudo to exit on non selinux machines. * Mon Dec 15 2003 Dan Walsh 1.6.7p5-7 - Remove sudo_var_run_t which is now pam_var_run_t * Fri Dec 12 2003 Dan Walsh 1.6.7p5-6 - Fix terminal handling and policy * Thu Dec 11 2003 Dan Walsh 1.6.7p5-5 - Fix policy * Thu Nov 13 2003 Dan Walsh 1.6.7p5-4.sel - Turn on SELinux support * Tue Jul 29 2003 Dan Walsh 1.6.7p5-3 - Add support for SELinux * Wed Jun 04 2003 Elliot Lee - rebuilt * Mon May 19 2003 Thomas Woerner 1.6.7p5-1 * Wed Jan 22 2003 Tim Powers - rebuilt * Tue Nov 12 2002 Nalin Dahyabhai 1.6.6-2 - remove absolute path names from the PAM configuration, ensuring that the right modules get used for whichever arch we're built for - don't try to install the FAQ, which isn't there any more * Thu Jun 27 2002 Bill Nottingham 1.6.6-1 - update to 1.6.6 * Fri Jun 21 2002 Tim Powers - automated rebuild * Thu May 23 2002 Tim Powers - automated rebuild * Thu Apr 18 2002 Bernhard Rosenkraenzer 1.6.5p2-2 - Fix bug #63768 * Thu Mar 14 2002 Bernhard Rosenkraenzer 1.6.5p2-1 - 1.6.5p2 * Fri Jan 18 2002 Bernhard Rosenkraenzer 1.6.5p1-1 - 1.6.5p1 - Hope this "a new release per day" madness stops ;) * Thu Jan 17 2002 Bernhard Rosenkraenzer 1.6.5-1 - 1.6.5 * Tue Jan 15 2002 Bernhard Rosenkraenzer 1.6.4p1-1 - 1.6.4p1 * Mon Jan 14 2002 Bernhard Rosenkraenzer 1.6.4-1 - Update to 1.6.4 * Mon Jul 23 2001 Bernhard Rosenkraenzer 1.6.3p7-2 - Add build requirements (#49706) - s/Copyright/License/ - bzip2 source * Sat Jun 16 2001 Than Ngo - update to 1.6.3p7 - use %%{_tmppath} * Fri Feb 23 2001 Bernhard Rosenkraenzer - 1.6.3p6, fixes buffer overrun * Tue Oct 10 2000 Bernhard Rosenkraenzer - 1.6.3p5 * Wed Jul 12 2000 Prospector - automatic rebuild * Tue Jun 06 2000 Karsten Hopp - fixed owner of sudo and visudo * Thu Jun 1 2000 Nalin Dahyabhai - modify PAM setup to use system-auth - clean up buildrooting by using the makeinstall macro * Tue Apr 11 2000 Bernhard Rosenkraenzer - initial build in main distrib - update to 1.6.3 - deal with compressed man pages * Tue Dec 14 1999 Preston Brown - updated to 1.6.1 for Powertools 6.2 - config files are now noreplace. * Thu Jul 22 1999 Tim Powers - updated to 1.5.9p2 for Powertools 6.1 * Wed May 12 1999 Bill Nottingham - sudo is configured with pam. There's no pam.d file. Oops. * Mon Apr 26 1999 Preston Brown - upgraded to 1.59p1 for powertools 6.0 * Tue Oct 27 1998 Preston Brown - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) * Thu Oct 08 1998 Michael Maher - built package for 5.2 * Mon May 18 1998 Michael Maher - updated SPEC file * Thu Jan 29 1998 Otto Hammersmith - updated to 1.5.4 * Tue Nov 18 1997 Otto Hammersmith - built for glibc, no problems * Fri Apr 25 1997 Michael Fulbright - Fixed for 4.2 PowerTools - Still need to be pamified - Still need to move stmp file to /var/log * Mon Feb 17 1997 Michael Fulbright - First version for PowerCD.