diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..ffb92a8 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +SOURCES/sudo-1.8.23.tar.gz diff --git a/.sudo.metadata b/.sudo.metadata new file mode 100644 index 0000000..30c3701 --- /dev/null +++ b/.sudo.metadata @@ -0,0 +1 @@ +8db5a01eda3a14e8b40af7ee1ed6d38660463430 SOURCES/sudo-1.8.23.tar.gz diff --git a/SOURCES/sudo-1.6.7p5-strip.patch b/SOURCES/sudo-1.6.7p5-strip.patch new file mode 100644 index 0000000..ba00efc --- /dev/null +++ b/SOURCES/sudo-1.6.7p5-strip.patch @@ -0,0 +1,27 @@ +From 8a045c3880e06f5fcf69a73c4029d6725e17f7bc Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Fri, 19 Aug 2016 13:49:25 +0200 +Subject: [PATCH 01/10] We do not strip + +rebased from: +Patch1: sudo-1.6.7p5-strip.patch +--- + install-sh | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/install-sh b/install-sh +index 6944fba..49d383a 100755 +--- a/install-sh ++++ b/install-sh +@@ -147,7 +147,7 @@ while ${MORETODO} ; do + fi + ;; + X-s) +- STRIPIT=true ++ #STRIPIT=true + ;; + X--) + shift +-- +2.7.4 + diff --git a/SOURCES/sudo-1.7.2p1-envdebug.patch b/SOURCES/sudo-1.7.2p1-envdebug.patch new file mode 100644 index 0000000..94c719a --- /dev/null +++ b/SOURCES/sudo-1.7.2p1-envdebug.patch @@ -0,0 +1,27 @@ +From 44a602b49365969e56c63c9f12eda197e951302f Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Fri, 19 Aug 2016 14:07:35 +0200 +Subject: [PATCH 02/10] Added "Enviroment debugging" message + +rebased from: +Patch2: sudo-1.7.2p1-envdebug.patch +--- + configure.ac | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/configure.ac b/configure.ac +index 9feddfd..39a2d86 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1390,7 +1390,7 @@ AC_ARG_ENABLE(env_debug, + [AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])], + [ case "$enableval" in + yes) AC_MSG_RESULT(yes) +- AC_DEFINE(ENV_DEBUG) ++ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.]) + ;; + no) AC_MSG_RESULT(no) + ;; +-- +2.7.4 + diff --git a/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch b/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch new file mode 100644 index 0000000..826e734 --- /dev/null +++ b/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch @@ -0,0 +1,161 @@ +From 0f303a2de843c31afb03b558dfb7287be79e6e17 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 26 Jul 2018 12:31:29 -0600 +Subject: [PATCH] Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors + from pam_acct_mgmt() if authentication is disabled for the user. Bug #843 + +--- + plugins/sudoers/auth/bsdauth.c | 2 +- + plugins/sudoers/auth/pam.c | 10 +++++++++- + plugins/sudoers/auth/sudo_auth.c | 4 ++-- + plugins/sudoers/auth/sudo_auth.h | 6 +++--- + plugins/sudoers/check.c | 4 +++- + plugins/sudoers/sudoers.h | 2 +- + 6 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c +index 444cd337..390263d3 100644 +--- a/plugins/sudoers/auth/bsdauth.c ++++ b/plugins/sudoers/auth/bsdauth.c +@@ -168,7 +168,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con + } + + int +-bsdauth_approval(struct passwd *pw, sudo_auth *auth) ++bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + struct bsdauth_state *state = auth->data; + debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH) +diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c +index 347289da..a4749448 100644 +--- a/plugins/sudoers/auth/pam.c ++++ b/plugins/sudoers/auth/pam.c +@@ -202,7 +202,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co + } + + int +-sudo_pam_approval(struct passwd *pw, sudo_auth *auth) ++sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; + int *pam_status = (int *) auth->data; +@@ -217,6 +217,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth) + "is your account locked?")); + debug_return_int(AUTH_FATAL); + case PAM_NEW_AUTHTOK_REQD: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) ++ debug_return_int(AUTH_SUCCESS); ++ /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); + *pam_status = pam_chauthtok(pamh, +@@ -229,6 +233,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth) + N_("unable to change expired password: %s"), s); + debug_return_int(AUTH_FAILURE); + case PAM_AUTHTOK_EXPIRED: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) ++ debug_return_int(AUTH_SUCCESS); ++ /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); + debug_return_int(AUTH_FATAL); +diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c +index 6ef9bd72..5d9382dc 100644 +--- a/plugins/sudoers/auth/sudo_auth.c ++++ b/plugins/sudoers/auth/sudo_auth.c +@@ -163,7 +163,7 @@ sudo_auth_init(struct passwd *pw) + * Returns true on success, false on failure and -1 on error. + */ + int +-sudo_auth_approval(struct passwd *pw, int validated) ++sudo_auth_approval(struct passwd *pw, int validated, bool exempt) + { + sudo_auth *auth; + debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH) +@@ -171,7 +171,7 @@ sudo_auth_approval(struct passwd *pw, int validated) + /* Call approval routines. */ + for (auth = auth_switch; auth->name; auth++) { + if (auth->approval && !IS_DISABLED(auth)) { +- int status = (auth->approval)(pw, auth); ++ int status = (auth->approval)(pw, auth, exempt); + if (status != AUTH_SUCCESS) { + /* Assume error msg already printed. */ + log_auth_failure(validated, 0); +diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h +index ea5ed9cd..9ae69cd5 100644 +--- a/plugins/sudoers/auth/sudo_auth.h ++++ b/plugins/sudoers/auth/sudo_auth.h +@@ -31,7 +31,7 @@ typedef struct sudo_auth { + int (*init)(struct passwd *pw, struct sudo_auth *auth); + int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth); + int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback); +- int (*approval)(struct passwd *pw, struct sudo_auth *auth); ++ int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt); + int (*cleanup)(struct passwd *pw, struct sudo_auth *auth); + int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth); + int (*end_session)(struct passwd *pw, struct sudo_auth *auth); +@@ -56,7 +56,7 @@ extern sudo_conv_t sudo_conv; + /* Prototypes for standalone methods */ + int bsdauth_init(struct passwd *pw, sudo_auth *auth); + int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +-int bsdauth_approval(struct passwd *pw, sudo_auth *auth); ++int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt); + int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_aix_init(struct passwd *pw, sudo_auth *auth); + int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +@@ -67,7 +67,7 @@ int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_pam_init(struct passwd *pw, sudo_auth *auth); + int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth); + int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +-int sudo_pam_approval(struct passwd *pw, sudo_auth *auth); ++int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt); + int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth); + int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth); +diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c +index ed49d63a..486a80d8 100644 +--- a/plugins/sudoers/check.c ++++ b/plugins/sudoers/check.c +@@ -175,6 +175,7 @@ check_user(int validated, int mode) + { + struct passwd *auth_pw; + int ret = -1; ++ bool exempt = false; + debug_decl(check_user, SUDOERS_DEBUG_AUTH) + + /* +@@ -194,6 +195,7 @@ check_user(int validated, int mode) + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__, + !def_authenticate ? "authentication disabled" : + "user exempt from authentication"); ++ exempt = true; + ret = true; + goto done; + } +@@ -218,7 +220,7 @@ check_user(int validated, int mode) + done: + if (ret == true) { + /* The approval function may disallow a user post-authentication. */ +- ret = sudo_auth_approval(auth_pw, validated); ++ ret = sudo_auth_approval(auth_pw, validated, exempt); + } + sudo_auth_cleanup(auth_pw); + sudo_pw_delref(auth_pw); +diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h +index 57db74c1..956cb084 100644 +--- a/plugins/sudoers/sudoers.h ++++ b/plugins/sudoers/sudoers.h +@@ -265,7 +265,7 @@ int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv + int sudo_auth_begin_session(struct passwd *pw, char **user_env[]); + int sudo_auth_end_session(struct passwd *pw); + int sudo_auth_init(struct passwd *pw); +-int sudo_auth_approval(struct passwd *pw, int validated); ++int sudo_auth_approval(struct passwd *pw, int validated, bool exempt); + int sudo_auth_cleanup(struct passwd *pw); + + /* set_perms.c */ +-- +2.13.6 + diff --git a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch new file mode 100644 index 0000000..25bbfe9 --- /dev/null +++ b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch @@ -0,0 +1,70 @@ +diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok +--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200 +@@ -34,7 +34,7 @@ + }, + { + "Binding": [ +- { "username": "%them" } ++ { "usergroup": "them" } + ], + "Options": [ + { "set_home": true } +@@ -42,7 +42,7 @@ + }, + { + "Binding": [ +- { "username": "%: non UNIX 0 c" } ++ { "nonunixgroup": " non UNIX 0 c" } + ], + "Options": [ + { "set_home": true } +@@ -50,7 +50,7 @@ + }, + { + "Binding": [ +- { "username": "+net" } ++ { "netgroup": "net" } + ], + "Options": [ + { "set_home": true } +diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok +--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200 +@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO + # + DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR + DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR + + # + DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c +--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200 +@@ -2395,7 +2395,7 @@ YY_RULE_SETUP + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || +diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l +--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200 +@@ -187,7 +187,7 @@ DEFVAR [a-z_]+ + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || diff --git a/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch new file mode 100644 index 0000000..8ad3955 --- /dev/null +++ b/SOURCES/sudo-1.8.23-fix_empty_username_in_do_syslog.patch @@ -0,0 +1,35 @@ +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 2c685cd..7751a67 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -106,7 +106,15 @@ do_syslog(int pri, char *msg) + * Log the full line, breaking into multiple syslog(3) calls if necessary + */ + fmt = _("%8s : %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); ++ ++ ++ if (!sudo_user_name) { ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5); ++ } ++ else { ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); ++ } ++ + for (p = msg; *p != '\0'; ) { + len = strlen(p); + if (len > maxlen) { +@@ -122,7 +130,12 @@ do_syslog(int pri, char *msg) + save = *tmp; + *tmp = '\0'; + +- mysyslog(pri, fmt, sudo_user_name, p); ++ if(!sudo_user_name) { ++ mysyslog(pri, fmt, "NaN", p); ++ } ++ else{ ++ mysyslog(pri, fmt, sudo_user_name, p); ++ } + + *tmp = save; /* restore saved character */ + diff --git a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch new file mode 100644 index 0000000..9698d23 --- /dev/null +++ b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch @@ -0,0 +1,27 @@ +diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c +--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200 +@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p + if (ldap_conf.search_filter) + sz += strlen(ldap_conf.search_filter); + +- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ +- sz += 29 + sudo_ldap_value_len(pw->pw_name); ++ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */ ++ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name); + + /* Add space for primary and supplementary groups and gids */ + if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { +@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p + CHECK_LDAP_VCAT(buf, pw->pw_name, sz); + CHECK_STRLCAT(buf, ")", sz); + ++ /* Append user uid */ ++ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid); ++ (void) strlcat(buf, "(sudoUser=#", sz); ++ (void) strlcat(buf, gidbuf, sz); ++ (void) strlcat(buf, ")", sz); ++ + /* Append primary group and gid */ + if (grp != NULL) { + CHECK_STRLCAT(buf, "(sudoUser=%", sz); diff --git a/SOURCES/sudo-1.8.23-legacy-group-processing.patch b/SOURCES/sudo-1.8.23-legacy-group-processing.patch new file mode 100644 index 0000000..f838215 --- /dev/null +++ b/SOURCES/sudo-1.8.23-legacy-group-processing.patch @@ -0,0 +1,89 @@ +diff -up sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/cvtsudoers.c +--- sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing 2018-06-28 11:24:25.966475241 +0200 ++++ sudo-1.8.23/plugins/sudoers/cvtsudoers.c 2018-06-28 11:26:40.215025493 +0200 +@@ -321,6 +321,15 @@ main(int argc, char *argv[]) + sudo_fatalx("error: unhandled input %d", input_format); + } + ++ /* ++ * cvtsudoers group filtering doesn't work if def_match_group_by_gid ++ * is set to true by default (at compile-time). It cannot be set to false ++ * because cvtsudoers doesn't apply the parsed Defaults. ++ * ++ * Related: sudo-1.8.23-legacy-group-processing.patch ++ */ ++ def_match_group_by_gid = def_legacy_group_processing = false; ++ + /* Apply filters. */ + filter_userspecs(conf); + filter_defaults(conf); +diff -up sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/defaults.c +--- sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/defaults.c 2018-06-28 11:24:25.966475241 +0200 +@@ -87,6 +87,7 @@ static struct early_default early_defaul + { I_FQDN }, + #endif + { I_MATCH_GROUP_BY_GID }, ++ { I_LEGACY_GROUP_PROCESSING }, + { I_GROUP_PLUGIN }, + { I_RUNAS_DEFAULT }, + { I_SUDOERS_LOCALE }, +@@ -488,6 +489,8 @@ init_defaults(void) + } + + /* First initialize the flags. */ ++ def_legacy_group_processing = true; ++ def_match_group_by_gid = true; + #ifdef LONG_OTP_PROMPT + def_long_otp_prompt = true; + #endif +diff -up sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.c +--- sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-28 11:24:25.966475241 +0200 +@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Ignore case when matching group names"), + NULL, + }, { ++ "legacy_group_processing", T_FLAG, ++ N_("Don't pre-resolve all group names"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.h +--- sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-28 11:24:25.967475238 +0200 +@@ -226,6 +226,8 @@ + #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag) + #define I_CASE_INSENSITIVE_GROUP 113 + #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) ++#define I_LEGACY_GROUP_PROCESSING 114 ++#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + + enum def_tuple { + never, +diff -up sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.in +--- sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-28 11:24:25.967475238 +0200 +@@ -357,3 +357,6 @@ case_insensitive_user + case_insensitive_group + T_FLAG + "Ignore case when matching group names" ++legacy_group_processing ++ T_FLAG ++ "Don't pre-resolve all group names" +diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/sudoers.c +--- sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-28 11:24:25.967475238 +0200 +@@ -209,6 +209,10 @@ sudoers_policy_init(void *info, char * c + if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw)) + ret = true; + ++ if (!def_match_group_by_gid || !def_legacy_group_processing) { ++ def_match_group_by_gid = false; ++ def_legacy_group_processing = false; ++ } + cleanup: + if (!restore_perms()) + ret = -1; diff --git a/SOURCES/sudo-1.8.23-nowaitopt.patch b/SOURCES/sudo-1.8.23-nowaitopt.patch new file mode 100644 index 0000000..6406396 --- /dev/null +++ b/SOURCES/sudo-1.8.23-nowaitopt.patch @@ -0,0 +1,61 @@ +diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c +--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200 +@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Don't pre-resolve all group names"), + NULL, + }, { ++ "cmnd_no_wait", T_FLAG, ++ N_("Don't fork and wait for the command to finish, just exec it"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h +--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200 +@@ -228,6 +228,8 @@ + #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) + #define I_LEGACY_GROUP_PROCESSING 114 + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) ++#define I_CMND_NO_WAIT 115 ++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) + + enum def_tuple { + never, +diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in +--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200 +@@ -360,3 +360,6 @@ case_insensitive_group + legacy_group_processing + T_FLAG + "Don't pre-resolve all group names" ++cmnd_no_wait ++ T_FLAG ++ "Don't fork and wait for the command to finish, just exec it" +diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c +diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c +--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200 ++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200 +@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c + def_match_group_by_gid = false; + def_legacy_group_processing = false; + } ++ ++ /* ++ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation ++ * and I/O logging. This will cause sudo to execute the given command ++ * directly instead of forking a separate process for it. ++ */ ++ if (def_cmnd_no_wait) { ++ def_pam_setcred = false; ++ def_pam_session = false; ++ def_use_pty = false; ++ def_log_input = false; ++ def_log_output = false; ++ } ++ + cleanup: + if (!restore_perms()) + ret = -1; diff --git a/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch new file mode 100644 index 0000000..94c46c8 --- /dev/null +++ b/SOURCES/sudo-1.8.23-pam_access-and-terminals.patch @@ -0,0 +1,344 @@ +unchanged: +--- b/plugins/sudoers/auth/pam.c ++++ b/plugins/sudoers/auth/pam.c +@@ -210,59 +210,71 @@ + sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; ++ int rc, status = AUTH_SUCCESS; + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- *pam_status = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (*pam_status) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { + case PAM_SUCCESS: +- debug_return_int(AUTH_SUCCESS); ++ break; + case PAM_AUTH_ERR: + log_warningx(0, N_("account validation failure, " + "is your account locked?")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_NEW_AUTHTOK_REQD: + /* Ignore if user is exempt from password restrictions. */ +- if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } + /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); +- *pam_status = pam_chauthtok(pamh, +- PAM_CHANGE_EXPIRED_AUTHTOK); +- if (*pam_status == PAM_SUCCESS) +- debug_return_int(AUTH_SUCCESS); +- if ((s = pam_strerror(pamh, *pam_status)) == NULL) ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) + s = "unknown error"; + log_warningx(0, + N_("unable to change expired password: %s"), s); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + case PAM_AUTHTOK_EXPIRED: + /* Ignore if user is exempt from password restrictions. */ +- if (exempt) +- debug_return_int(AUTH_SUCCESS); ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } + /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_ACCT_EXPIRED: + log_warningx(0, + N_("Account expired or PAM config lacks an \"account\" " + "section for sudo, contact your system administrator")); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + case PAM_AUTHINFO_UNAVAIL: + case PAM_MAXTRIES: + case PAM_PERM_DENIED: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FAILURE); ++ status = AUTH_FAILURE; ++ break; + default: +- s = pam_strerror(pamh, *pam_status); ++ s = pam_strerror(pamh, rc); + log_warningx(0, N_("PAM account management error: %s"), + s ? s : "unknown error"); +- debug_return_int(AUTH_FATAL); ++ status = AUTH_FATAL; ++ break; + } ++ *pam_status = rc; ++ debug_return_int(status); + } + + int +unchanged: +--- a/doc/sudoers.cat ++++ b/doc/sudoers.cat +@@ -1286,6 +1286,17 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS + well as the _P_r_e_v_e_n_t_i_n_g _s_h_e_l_l _e_s_c_a_p_e_s section at the end + of this manual. This flag is _o_f_f by default. + ++ pam_acct_mgmt On systems that use PAM for authentication, ssuuddoo will ++ perform PAM account validation for the invoking user by ++ default. The actual checks performed depend on which ++ PAM modules are configured. If enabled, account ++ validation will be performed regardless of whether or ++ not a password is required. This flag is _o_n by ++ default. ++ ++ This setting is only supported by version 1.8.28 or ++ higher. ++ + pam_session On systems that use PAM for authentication, ssuuddoo will + create a new PAM session for the command to be run in. + Disabling _p_a_m___s_e_s_s_i_o_n may be needed on older PAM +unchanged: +--- a/doc/sudoers.man.in ++++ b/doc/sudoers.man.in +@@ -2722,6 +2722,19 @@ This flag is + \fIoff\fR + by default. + .TP 18n ++pam_acct_mgmt ++On systems that use PAM for authentication, ++\fBsudo\fR ++will perform PAM account validation for the invoking user by default. ++The actual checks performed depend on which PAM modules are configured. ++If enabled, account validation will be performed regardless of whether ++or not a password is required. ++This flag is ++\fIon\fR ++by default. ++.sp ++This setting is only supported by version 1.8.28 or higher. ++.TP 18n + pam_session + On systems that use PAM for authentication, + \fBsudo\fR +unchanged: +--- a/doc/sudoers.mdoc.in ++++ b/doc/sudoers.mdoc.in +@@ -2560,6 +2560,18 @@ section at the end of this manual. + This flag is + .Em off + by default. ++.It pam_acct_mgmt ++On systems that use PAM for authentication, ++.Nm sudo ++will perform PAM account validation for the invoking user by default. ++The actual checks performed depend on which PAM modules are configured. ++If enabled, account validation will be performed regardless of whether ++or not a password is required. ++This flag is ++.Em on ++by default. ++.Pp ++This setting is only supported by version 1.8.28 or higher. + .It pam_session + On systems that use PAM for authentication, + .Nm sudo +only in patch2: +unchanged: +--- ./plugins/sudoers/auth/pam.c.pamm 2019-01-11 21:30:17.000000000 +0100 ++++ ./plugins/sudoers/auth/pam.c 2019-08-02 15:14:38.980077956 +0200 +@@ -214,66 +214,68 @@ sudo_pam_approval(struct passwd *pw, sud + int *pam_status = (int *) auth->data; + debug_decl(sudo_pam_approval, SUDOERS_DEBUG_AUTH) + +- rc = pam_acct_mgmt(pamh, PAM_SILENT); +- switch (rc) { +- case PAM_SUCCESS: +- break; +- case PAM_AUTH_ERR: +- log_warningx(0, N_("account validation failure, " +- "is your account locked?")); +- status = AUTH_FATAL; +- break; +- case PAM_NEW_AUTHTOK_REQD: +- /* Ignore if user is exempt from password restrictions. */ +- if (exempt) { +- rc = *pam_status; +- break; +- } +- /* New password required, try to change it. */ +- log_warningx(0, N_("Account or password is " +- "expired, reset your password and try again")); +- rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); +- if (rc == PAM_SUCCESS) +- break; +- if ((s = pam_strerror(pamh, rc)) == NULL) +- s = "unknown error"; +- log_warningx(0, +- N_("unable to change expired password: %s"), s); +- status = AUTH_FAILURE; +- break; +- case PAM_AUTHTOK_EXPIRED: +- /* Ignore if user is exempt from password restrictions. */ +- if (exempt) { +- rc = *pam_status; +- break; +- } +- /* Password expired, cannot be updated by user. */ +- log_warningx(0, +- N_("Password expired, contact your system administrator")); +- status = AUTH_FATAL; +- break; +- case PAM_ACCT_EXPIRED: +- log_warningx(0, +- N_("Account expired or PAM config lacks an \"account\" " +- "section for sudo, contact your system administrator")); +- status = AUTH_FATAL; +- break; +- case PAM_AUTHINFO_UNAVAIL: +- case PAM_MAXTRIES: +- case PAM_PERM_DENIED: +- s = pam_strerror(pamh, rc); +- log_warningx(0, N_("PAM account management error: %s"), +- s ? s : "unknown error"); +- status = AUTH_FAILURE; +- break; +- default: +- s = pam_strerror(pamh, rc); +- log_warningx(0, N_("PAM account management error: %s"), +- s ? s : "unknown error"); +- status = AUTH_FATAL; +- break; ++ if (def_pam_acct_mgmt) { ++ rc = pam_acct_mgmt(pamh, PAM_SILENT); ++ switch (rc) { ++ case PAM_SUCCESS: ++ break; ++ case PAM_AUTH_ERR: ++ log_warningx(0, N_("account validation failure, " ++ "is your account locked?")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_NEW_AUTHTOK_REQD: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } ++ /* New password required, try to change it. */ ++ log_warningx(0, N_("Account or password is " ++ "expired, reset your password and try again")); ++ rc = pam_chauthtok(pamh, PAM_CHANGE_EXPIRED_AUTHTOK); ++ if (rc == PAM_SUCCESS) ++ break; ++ if ((s = pam_strerror(pamh, rc)) == NULL) ++ s = "unknown error"; ++ log_warningx(0, ++ N_("unable to change expired password: %s"), s); ++ status = AUTH_FAILURE; ++ break; ++ case PAM_AUTHTOK_EXPIRED: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) { ++ rc = *pam_status; ++ break; ++ } ++ /* Password expired, cannot be updated by user. */ ++ log_warningx(0, ++ N_("Password expired, contact your system administrator")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_ACCT_EXPIRED: ++ log_warningx(0, ++ N_("Account expired or PAM config lacks an \"account\" " ++ "section for sudo, contact your system administrator")); ++ status = AUTH_FATAL; ++ break; ++ case PAM_AUTHINFO_UNAVAIL: ++ case PAM_MAXTRIES: ++ case PAM_PERM_DENIED: ++ s = pam_strerror(pamh, rc); ++ log_warningx(0, N_("PAM account management error: %s"), ++ s ? s : "unknown error"); ++ status = AUTH_FAILURE; ++ break; ++ default: ++ s = pam_strerror(pamh, rc); ++ log_warningx(0, N_("PAM account management error: %s"), ++ s ? s : "unknown error"); ++ status = AUTH_FATAL; ++ break; ++ } ++ *pam_status = rc; + } +- *pam_status = rc; + debug_return_int(status); + } + +only in patch2: +unchanged: +--- ./plugins/sudoers/defaults.c.pamm 2019-08-02 15:14:38.973077882 +0200 ++++ ./plugins/sudoers/defaults.c 2019-08-02 15:14:38.987078030 +0200 +@@ -642,6 +642,7 @@ init_defaults(void) + if ((def_editor = strdup(EDITOR)) == NULL) + goto oom; + def_set_utmp = true; ++ def_pam_acct_mgmt = true; + def_pam_setcred = true; + def_syslog_maxlen = MAXSYSLOGLEN; + def_case_insensitive_user = true; +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.c.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.c 2019-08-02 15:20:37.592876029 +0200 +@@ -502,6 +502,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Don't fork and wait for the command to finish, just exec it"), + NULL, + }, { ++ "pam_acct_mgmt", T_FLAG, ++ N_("Perform PAM account validation management"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.h.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.h 2019-08-02 15:14:38.987078030 +0200 +@@ -230,6 +230,8 @@ + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + #define I_CMND_NO_WAIT 115 + #define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) ++#define I_PAM_ACCT_MGMT 116 ++#define def_pam_acct_mgmt (sudo_defs_table[I_PAM_ACCT_MGMT].sd_un.flag) + + enum def_tuple { + never, +only in patch2: +unchanged: +--- ./plugins/sudoers/def_data.in.pamm 2019-08-02 15:14:38.976077914 +0200 ++++ ./plugins/sudoers/def_data.in 2019-08-02 15:14:38.987078030 +0200 +@@ -363,3 +363,6 @@ legacy_group_processing + cmnd_no_wait + T_FLAG + "Don't fork and wait for the command to finish, just exec it" ++pam_acct_mgmt ++ T_FLAG ++ "Perform PAM account validation management" diff --git a/SOURCES/sudo-1.8.23-sudoldapconfman.patch b/SOURCES/sudo-1.8.23-sudoldapconfman.patch new file mode 100644 index 0000000..3b52ea8 --- /dev/null +++ b/SOURCES/sudo-1.8.23-sudoldapconfman.patch @@ -0,0 +1,32 @@ +diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in +--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-05-23 13:38:08.347538854 +0200 ++++ sudo-1.8.23/doc/Makefile.in 2018-05-23 13:38:12.806523146 +0200 +@@ -345,10 +345,16 @@ install-doc: install-dirs + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ + else \ + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ + fi + + install-plugin: +@@ -363,8 +369,9 @@ uninstall: + $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ + $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ + $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ +- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) +- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) ++ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform) + + splint: + diff --git a/SOURCES/sudo-1.8.23-who-am-i.patch b/SOURCES/sudo-1.8.23-who-am-i.patch new file mode 100644 index 0000000..2be1c3c --- /dev/null +++ b/SOURCES/sudo-1.8.23-who-am-i.patch @@ -0,0 +1,56 @@ +commit b2f7983c84fd01e0b29895d7df776b4b162fd8a5 +Author: Todd C. Miller +Date: Wed Jan 2 07:39:33 2019 -0700 + + Fix setting of utmp entry when running command in a pty. + Regression introduced in sudo 1.8.22. + +diff --git a/src/exec_pty.c b/src/exec_pty.c +index cbcccca3..68312a98 100644 +--- a/src/exec_pty.c ++++ b/src/exec_pty.c +@@ -140,7 +140,7 @@ pty_cleanup(void) + * and slavename globals. + */ + static bool +-pty_setup(uid_t uid, const char *tty) ++pty_setup(struct command_details *details, const char *tty) + { + debug_decl(pty_setup, SUDO_DEBUG_EXEC); + +@@ -152,12 +152,15 @@ pty_setup(uid_t uid, const char *tty) + } + + if (!get_pty(&io_fds[SFD_MASTER], &io_fds[SFD_SLAVE], +- slavename, sizeof(slavename), uid)) ++ slavename, sizeof(slavename), details->euid)) + sudo_fatal(U_("unable to allocate pty")); + + /* Add entry to utmp/utmpx? */ +- if (utmp_user != NULL) ++ if (ISSET(details->flags, CD_SET_UTMP)) { ++ utmp_user = ++ details->utmp_user ? details->utmp_user : user_details.username; + utmp_login(tty, slavename, io_fds[SFD_SLAVE], utmp_user); ++ } + + sudo_debug_printf(SUDO_DEBUG_INFO, + "%s: %s fd %d, pty master fd %d, pty slave fd %d", +@@ -1302,12 +1305,11 @@ exec_pty(struct command_details *details, struct command_status *cstat) + /* + * Allocate a pty. + */ +- if (pty_setup(details->euid, user_details.tty)) { +- if (ISSET(details->flags, CD_SET_UTMP)) +- utmp_user = details->utmp_user ? details->utmp_user : user_details.username; +- } else if (TAILQ_EMPTY(&io_plugins)) { +- /* Not logging I/O and didn't allocate a pty. */ +- debug_return_bool(false); ++ if (!pty_setup(details, user_details.tty)) { ++ if (TAILQ_EMPTY(&io_plugins)) { ++ /* Not logging I/O and didn't allocate a pty. */ ++ debug_return_bool(false); ++ } + } + + /* diff --git a/SOURCES/sudo-1.8.6p7-logsudouser.patch b/SOURCES/sudo-1.8.6p7-logsudouser.patch new file mode 100644 index 0000000..c3742a0 --- /dev/null +++ b/SOURCES/sudo-1.8.6p7-logsudouser.patch @@ -0,0 +1,90 @@ +From 06b46ae226fecd4188af372ac0ccd7aa582e21c8 Mon Sep 17 00:00:00 2001 +From: Tomas Sykora +Date: Wed, 17 Aug 2016 10:12:11 +0200 +Subject: [PATCH] Sudo logs username root instead of realuser + +RHEL7 sudo logs username root instead of realuser in /var/log/secure + +Rebased from: +Patch50: sudo-1.8.6p7-logsudouser.patch + +Resolves: +rhbz#1312486 +--- + plugins/sudoers/logging.c | 14 +++++++------- + plugins/sudoers/sudoers.h | 1 + + 2 files changed, 8 insertions(+), 7 deletions(-) + +diff --git a/plugins/sudoers/logging.c b/plugins/sudoers/logging.c +index 45cae67..74b2220 100644 +--- a/plugins/sudoers/logging.c ++++ b/plugins/sudoers/logging.c +@@ -104,7 +104,7 @@ do_syslog(int pri, char *msg) + * Log the full line, breaking into multiple syslog(3) calls if necessary + */ + fmt = _("%8s : %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name)); ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); + for (p = msg; *p != '\0'; ) { + len = strlen(p); + if (len > maxlen) { +@@ -120,7 +120,7 @@ do_syslog(int pri, char *msg) + save = *tmp; + *tmp = '\0'; + +- mysyslog(pri, fmt, user_name, p); ++ mysyslog(pri, fmt, sudo_user_name, p); + + *tmp = save; /* restore saved character */ + +@@ -128,11 +128,11 @@ do_syslog(int pri, char *msg) + for (p = tmp; *p == ' '; p++) + continue; + } else { +- mysyslog(pri, fmt, user_name, p); ++ mysyslog(pri, fmt, sudo_user_name, p); + p += len; + } + fmt = _("%8s : (command continued) %s"); +- maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(user_name)); ++ maxlen = def_syslog_maxlen - (strlen(fmt) - 5 + strlen(sudo_user_name)); + } + + sudoers_setlocale(oldlocale, NULL); +@@ -179,10 +179,10 @@ do_logfile(const char *msg) + timestr = "invalid date"; + if (def_log_host) { + len = asprintf(&full_line, "%s : %s : HOST=%s : %s", +- timestr, user_name, user_srunhost, msg); ++ timestr, sudo_user_name, user_srunhost, msg); + } else { + len = asprintf(&full_line, "%s : %s : %s", +- timestr, user_name, msg); ++ timestr, sudo_user_name, msg); + } + if (len == -1) { + sudo_warnx(U_("%s: %s"), __func__, U_("unable to allocate memory")); +@@ -746,7 +746,7 @@ send_mail(const char *fmt, ...) + + if ((timestr = get_timestr(time(NULL), def_log_year)) == NULL) + timestr = "invalid date"; +- (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, user_name); ++ (void) fprintf(mail, "\n\n%s : %s : %s : ", user_host, timestr, sudo_user_name); + va_start(ap, fmt); + (void) vfprintf(mail, fmt, ap); + va_end(ap); +diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h +index cfd5abb..c69a043 100644 +--- a/plugins/sudoers/sudoers.h ++++ b/plugins/sudoers/sudoers.h +@@ -180,6 +180,7 @@ struct sudo_user { + /* + * Shortcuts for sudo_user contents. + */ ++#define sudo_user_name (sudo_user.pw->pw_name) + #define user_name (sudo_user.name) + #define user_uid (sudo_user.uid) + #define user_gid (sudo_user.gid) +-- +2.7.4 + diff --git a/SOURCES/sudo-ldap.conf b/SOURCES/sudo-ldap.conf new file mode 100644 index 0000000..d8f8e4d --- /dev/null +++ b/SOURCES/sudo-ldap.conf @@ -0,0 +1,86 @@ +## BINDDN DN +## The BINDDN parameter specifies the identity, in the form of a Dis‐ +## tinguished Name (DN), to use when performing LDAP operations. If +## not specified, LDAP operations are performed with an anonymous +## identity. By default, most LDAP servers will allow anonymous +## access. +## +#binddn uid=sudo,cn=sysaccounts,cn=etc,dc=example,dc=com + +## BINDPW secret +## The BINDPW parameter specifies the password to use when performing +## LDAP operations. This is typically used in conjunction with the +## BINDDN parameter. +## +#bindpw secret + +## SSL start_tls +## If the SSL parameter is set to start_tls, the LDAP server connec‐ +## tion is initiated normally and TLS encryption is begun before the +## bind credentials are sent. This has the advantage of not requiring +## a dedicated port for encrypted communications. This parameter is +## only supported by LDAP servers that honor the start_tls extension, +## such as the OpenLDAP and Tivoli Directory servers. +## +#ssl start_tls + +## TLS_CACERTFILE file name +## The path to a certificate authority bundle which contains the cer‐ +## tificates for all the Certificate Authorities the client knows to +## be valid, e.g. /etc/ssl/ca-bundle.pem. This option is only sup‐ +## ported by the OpenLDAP libraries. Netscape-derived LDAP libraries +## use the same certificate database for CA and client certificates +## (see TLS_CERT). +## +#tls_cacertfile /path/to/CA.crt + +## TLS_CHECKPEER on/true/yes/off/false/no +## If enabled, TLS_CHECKPEER will cause the LDAP server's TLS certifi‐ +## cated to be verified. If the server's TLS certificate cannot be +## verified (usually because it is signed by an unknown certificate +## authority), sudo will be unable to connect to it. If TLS_CHECKPEER +## is disabled, no check is made. Note that disabling the check cre‐ +## ates an opportunity for man-in-the-middle attacks since the +## server's identity will not be authenticated. If possible, the CA's +## certificate should be installed locally so it can be verified. +## This option is not supported by the Tivoli Directory Server LDAP +## libraries. +#tls_checkpeer yes + +## +## URI ldap[s]://[hostname[:port]] ... +## Specifies a whitespace-delimited list of one or more +## URIs describing the LDAP server(s) to connect to. +## +#uri ldap://ldapserver + +## +## SUDOERS_BASE base +## The base DN to use when performing sudo LDAP queries. +## Multiple SUDOERS_BASE lines may be specified, in which +## case they are queried in the order specified. +## +#sudoers_base ou=SUDOers,dc=example,dc=com + +## +## BIND_TIMELIMIT seconds +## The BIND_TIMELIMIT parameter specifies the amount of +## time to wait while trying to connect to an LDAP server. +## +#bind_timelimit 30 + +## +## TIMELIMIT seconds +## The TIMELIMIT parameter specifies the amount of time +## to wait for a response to an LDAP query. +## +#timelimit 30 + +## +## SUDOERS_DEBUG debug_level +## This sets the debug level for sudo LDAP queries. Debugging +## information is printed to the standard error. A value of 1 +## results in a moderate amount of debugging information. +## A value of 2 shows the results of the matches themselves. +## +#sudoers_debug 1 diff --git a/SOURCES/sudo.conf b/SOURCES/sudo.conf new file mode 100644 index 0000000..3047842 --- /dev/null +++ b/SOURCES/sudo.conf @@ -0,0 +1,57 @@ +# +# Default /etc/sudo.conf file +# +# Format: +# Plugin plugin_name plugin_path plugin_options ... +# Path askpass /path/to/askpass +# Path noexec /path/to/sudo_noexec.so +# Debug sudo /var/log/sudo_debug all@warn +# Set disable_coredump true +# +# Sudo plugins: +# +# The plugin_path is relative to ${prefix}/libexec unless fully qualified. +# The plugin_name corresponds to a global symbol in the plugin +# that contains the plugin interface structure. +# The plugin_options are optional. +# +# The sudoers plugin is used by default if no Plugin lines are present. +Plugin sudoers_policy sudoers.so +Plugin sudoers_io sudoers.so + +# +# Sudo askpass: +# +# An askpass helper program may be specified to provide a graphical +# password prompt for "sudo -A" support. Sudo does not ship with its +# own passpass program but can use the OpenSSH askpass. +# +# Use the OpenSSH askpass +#Path askpass /usr/X11R6/bin/ssh-askpass +# +# Use the Gnome OpenSSH askpass +#Path askpass /usr/libexec/openssh/gnome-ssh-askpass + +# +# Sudo noexec: +# +# Path to a shared library containing dummy versions of the execv(), +# execve() and fexecve() library functions that just return an error. +# This is used to implement the "noexec" functionality on systems that +# support C or its equivalent. +# The compiled-in value is usually sufficient and should only be changed +# if you rename or move the sudo_noexec.so file. +# +#Path noexec /usr/libexec/sudo_noexec.so + +# +# Core dumps: +# +# By default, sudo disables core dumps while it is executing (they +# are re-enabled for the command that is run). +# To aid in debugging sudo problems, you may wish to enable core +# dumps by setting "disable_coredump" to false. +# +# Set to false here so as not to interfere with /proc/sys/fs/suid_dumpable +# +Set disable_coredump false diff --git a/SOURCES/sudoers b/SOURCES/sudoers new file mode 100644 index 0000000..93e02ba --- /dev/null +++ b/SOURCES/sudoers @@ -0,0 +1,120 @@ +## Sudoers allows particular users to run various commands as +## the root user, without needing the root password. +## +## Examples are provided at the bottom of the file for collections +## of related commands, which can then be delegated out to particular +## users or groups. +## +## This file must be edited with the 'visudo' command. + +## Host Aliases +## Groups of machines. You may prefer to use hostnames (perhaps using +## wildcards for entire domains) or IP addresses instead. +# Host_Alias FILESERVERS = fs1, fs2 +# Host_Alias MAILSERVERS = smtp, smtp2 + +## User Aliases +## These aren't often necessary, as you can use regular groups +## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname +## rather than USERALIAS +# User_Alias ADMINS = jsmith, mikem + + +## Command Aliases +## These are groups of related commands... + +## Networking +# Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool + +## Installation and management of software +# Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum + +## Services +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable + +## Updating the locate database +# Cmnd_Alias LOCATE = /usr/bin/updatedb + +## Storage +# Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount + +## Delegating permissions +# Cmnd_Alias DELEGATING = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp + +## Processes +# Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall + +## Drivers +# Cmnd_Alias DRIVERS = /sbin/modprobe + +# Defaults specification + +# +# Refuse to run if unable to disable echo on the tty. +# +Defaults !visiblepw + +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + +Defaults env_reset +Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" +Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" +Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" + +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + +Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin + +## Next comes the main part: which users can run what software on +## which machines (the sudoers file can be shared between multiple +## systems). +## Syntax: +## +## user MACHINE=COMMANDS +## +## The COMMANDS section may have other options added to it. +## +## Allow root to run any commands anywhere +root ALL=(ALL) ALL + +## Allows members of the 'sys' group to run networking, software, +## service management apps and more. +# %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING, PROCESSES, LOCATE, DRIVERS + +## Allows people in group wheel to run all commands +%wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Allows members of the users group to mount and unmount the +## cdrom as root +# %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom + +## Allows members of the users group to shutdown this system +# %users localhost=/sbin/shutdown -h now + +## Read drop-in files from /etc/sudoers.d (the # here does not mean a comment) +#includedir /etc/sudoers.d diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec new file mode 100644 index 0000000..19d4c0a --- /dev/null +++ b/SPECS/sudo.spec @@ -0,0 +1,1028 @@ +Summary: Allows restricted root access for specified users +Name: sudo +Version: 1.8.23 +Release: 7%{?dist} +License: ISC +Group: Applications/System +URL: http://www.courtesan.com/sudo/ +Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz +Source1: sudoers +Source2: sudo-ldap.conf +Source3: sudo.conf +Requires: /etc/pam.d/system-auth +Requires: /usr/bin/vi + +BuildRequires: /usr/sbin/sendmail +BuildRequires: autoconf +BuildRequires: automake +BuildRequires: bison +BuildRequires: flex +BuildRequires: gettext +BuildRequires: groff +BuildRequires: libtool +BuildRequires: audit-libs-devel +BuildRequires: libcap-devel +BuildRequires: libgcrypt-devel +BuildRequires: libgcrypt-devel +BuildRequires: libselinux-devel +BuildRequires: openldap-devel +BuildRequires: pam-devel +BuildRequires: zlib-devel + +# don't strip +Patch1: sudo-1.6.7p5-strip.patch +# configure.in fix +Patch2: sudo-1.7.2p1-envdebug.patch +# 881258 - rpmdiff: added missing sudo-ldap.conf manpage +Patch3: sudo-1.8.23-sudoldapconfman.patch +# 1247591 - Sudo taking a long time when user information is stored externally. +Patch4: sudo-1.8.23-legacy-group-processing.patch +# 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option +Patch5: sudo-1.8.23-ldapsearchuidfix.patch +# 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure +Patch6: sudo-1.8.6p7-logsudouser.patch +# 840980 - sudo creates a new parent process +# Adds cmnd_no_wait Defaults option +Patch7: sudo-1.8.23-nowaitopt.patch +# 1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers +# This is fix of a regression in the referenced feature request. It was fixed +# in newer versions of sudo and we backport it to prevent future regression +# bz in RHEL. The feature itself was delivered via the rebase to 1.8.23. +Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch +# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version +Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch + +# 1647678 - sudo access denied with pam_access and pts terminal configurations +# 1672876 - Backporting sudo bug with expired passwords - this is included in in this patch +Patch10: sudo-1.8.23-pam_access-and-terminals.patch + +# 1665285 - Problem with sudo-1.8.23 and 'who am i' +Patch11: sudo-1.8.23-who-am-i.patch + +# 1738841 - Crash in do_syslog() while doing sudoedit +Patch12: sudo-1.8.23-fix_empty_username_in_do_syslog.patch + +%description +Sudo (superuser do) allows a system administrator to give certain +users (or groups of users) the ability to run some (or all) commands +as root while logging all commands and arguments. Sudo operates on a +per-command basis. It is not a replacement for the shell. Features +include: the ability to restrict what commands a user may run on a +per-host basis, copious logging of each command (providing a clear +audit trail of who did what), a configurable timeout of the sudo +command, and the ability to use the same configuration file (sudoers) +on many different machines. + +%package devel +Summary: Development files for %{name} +Group: Development/Libraries +Requires: %{name} = %{version}-%{release} + +%description devel +The %{name}-devel package contains header files developing sudo +plugins that use %{name}. + +%prep +%setup -q + +%patch1 -p1 -b .strip +%patch2 -p1 -b .envdebug +%patch3 -p1 -b .sudoldapconfman +%patch4 -p1 -b .legacy-group-processing +%patch5 -p1 -b .ldapsearchuidfix +%patch6 -p1 -b .logsudouser +%patch7 -p1 -b .nowaitopt +%patch8 -p1 -b .pam-mgmt-ignore-errors +%patch9 -p1 -b .defaults-double-quote-fix + +%patch10 -p1 -b .pam_access-and-terminals + +%patch11 -p1 -b .who-am-i +%patch12 -p1 -b .do_syslog-username + +%build +autoreconf -I m4 -fv --install + +%ifarch s390 s390x sparc64 +F_PIE=-fPIE +%else +F_PIE=-fpie +%endif + +export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHLIB_MODE=755 + +%configure \ + --prefix=%{_prefix} \ + --sbindir=%{_sbindir} \ + --libdir=%{_libdir} \ + --docdir=%{_datadir}/doc/%{name}-%{version} \ + --with-logging=syslog \ + --with-logfac=authpriv \ + --with-pam \ + --with-pam-login \ + --with-editor=/usr/bin/vi \ + --with-env-editor \ + --enable-gcrypt \ + --with-ignore-dot \ + --with-tty-tickets \ + --with-ldap \ + --with-ldap-conf-file="%{_sysconfdir}/sudo-ldap.conf" \ + --with-selinux \ + --with-passprompt="[sudo] password for %p: " \ + --with-linux-audit \ + --with-sssd + +make + +%check +make check + +%install +rm -rf %{buildroot} + +# Update README.LDAP (#736653) +sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP + +make install DESTDIR="%{buildroot}" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` + +chmod 755 %{buildroot}%{_bindir}/* %{buildroot}%{_sbindir}/* +install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo +install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo/lectured +install -p -d -m 750 %{buildroot}%{_sysconfdir}/sudoers.d +install -p -c -m 0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers +install -p -c -m 0640 %{SOURCE3} %{buildroot}%{_sysconfdir}/sudo.conf +install -p -c -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudo-ldap.conf + +# Remove upstream sudoers file +rm -f %{buildroot}%{_sysconfdir}/sudoers.dist + +# Remove all .la files +find %{buildroot} -name '*.la' -exec rm -f {} ';' + +%find_lang sudo +%find_lang sudoers + +cat sudo.lang sudoers.lang > sudo_all.lang +rm sudo.lang sudoers.lang + +mkdir -p %{buildroot}%{_sysconfdir}/pam.d +cat > %{buildroot}%{_sysconfdir}/pam.d/sudo << EOF +#%%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session optional pam_keyinit.so revoke +session include system-auth +EOF + +cat > %{buildroot}%{_sysconfdir}/pam.d/sudo-i << EOF +#%%PAM-1.0 +auth include sudo +account include sudo +password include sudo +session optional pam_keyinit.so force revoke +session include sudo +EOF + +%clean +rm -rf %{buildroot} + +%files -f sudo_all.lang +%defattr(-,root,root) +%attr(0440,root,root) %config(noreplace) %{_sysconfdir}/sudoers +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf +%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d/ +%config(noreplace) %{_sysconfdir}/pam.d/sudo +%config(noreplace) %{_sysconfdir}/pam.d/sudo-i +%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf +%dir %{_localstatedir}/db/sudo +%dir %{_localstatedir}/db/sudo/lectured +%attr(4111,root,root) %{_bindir}/sudo +%{_bindir}/sudoedit +%{_bindir}/cvtsudoers +%attr(0111,root,root) %{_bindir}/sudoreplay +%attr(0755,root,root) %{_sbindir}/visudo +%attr(0755,root,root) %{_libexecdir}/sudo/sesh +%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so +%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so +%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so +%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so +%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.? +%{_libexecdir}/sudo/libsudo_util.so.? +%{_libexecdir}/sudo/libsudo_util.so +%{_mandir}/man5/sudoers.5* +%{_mandir}/man5/sudoers.ldap.5* +%{_mandir}/man5/sudo-ldap.conf.5* +%{_mandir}/man5/sudo.conf.5* +%{_mandir}/man8/sudo.8* +%{_mandir}/man8/sudoedit.8* +%{_mandir}/man8/sudoreplay.8* +%{_mandir}/man8/visudo.8* +%{_mandir}/man1/cvtsudoers.1.gz +%{_mandir}/man5/sudoers_timestamp.5.gz +%dir %{_docdir}/sudo-%{version} +%{_docdir}/sudo-%{version}/* + +# Make sure permissions are ok even if we're updating +%post +/bin/chmod 0440 %{_sysconfdir}/sudoers || : + +%files devel +%defattr(-,root,root,-) +%doc plugins/sample/sample_plugin.c +%{_includedir}/sudo_plugin.h +%{_mandir}/man8/sudo_plugin.8* + +%changelog + +* Thu Aug 22 2019 Marek Tamaskovic 1.8.23-7 +- RHEL-7.8 erratum + Resolves: rhbz#1738841 Crash in do_syslog() while doing sudoedit + +* Mon Aug 19 2019 Marek Tamaskovic 1.8.23-6 +- RHEL-7.8 erratum + Resolves: rhbz#1647678 sudo access denied with pam_access and pts terminal configurations + +* Mon Aug 12 2019 Marek Tamaskovic 1.8.23-5 +- RHEL-7.8 erratum + Resolves: rhbz#1711997 sudo is super slow when /etc/security/limits.conf contains many entries + +* Wed Feb 20 2019 Radovan Sroka 1.8.23-4 +- RHEL-7.7 erratum + Resolves: rhbz#1672876 - Backporting sudo bug with expired passwords + Resolves: rhbz#1665285 - Problem with sudo-1.8.23 and 'who am i' + +* Mon Sep 24 2018 Daniel Kopecek 1.8.23-3 +- RHEL-7.6 erratum + Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version + +* Fri Sep 21 2018 Daniel Kopecek 1.8.23-2 +- RHEL-7.6 erratum + Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers + Resolves: rhbz#1506025 - Latest update broke sudo for ldap users. + Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets + +* Thu Jun 28 2018 Daniel Kopecek 1.8.23-1 +- RHEL-7.6 erratum + Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version (1.8.23) + Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets + Resolves: rhbz#1506025 - Latest update broke sudo for ldap users. + Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers + Resolves: rhbz#1548380 - RFE: Create flag to filter to sudo -l output + Resolves: rhbz#1510002 - Ensure that the command input (stdin) eating behaviour of Default log_input is documented + Resolves: rhbz#1596032 - Why does sudo package depend on vim-minimal? + +* Thu Nov 30 2017 Radovan Sroka 1.8.19p2-13 +- RHEL 7.5 erratum +- Fixed sudo -l checking results whether user should be authenticated +- Enabled LDAP filter patch +- Fixed double free in sssd + + Resolves: rhbz#1505409 + Resolves: rhbz#1511850 + Resolves: rhbz#1518104 + +* Mon Oct 02 2017 Radovan Sroka 1.8.19p2-12 +- RHEL 7.5 erratum +- Fixed exit codes for `sudo -l -U ` +- Fixed truncated output when log_output is enabled +- Updated use_pty and IO logging manpage + + Resolves: rhbz#1458696 + Resolves: rhbz#1454571 + Resolves: rhbz#1490358 + +- Fixed second pass LDAP filter expression in the sudoers ldap backend + - inclomplete patch for rhbz#1485397 + +* Mon Aug 14 2017 Daniel Kopecek - 1.8.19p2-11 +- Moved libsudo_util.so from the -devel sub-package to main package + Resolves: rhbz#1481225 + +* Wed Jun 07 2017 Daniel Kopecek - 1.8.19p2-10 +- RHEL 7.4 erratum +- Fix CVE-2017-1000368 + Resolves: rhbz#1459411 + +* Tue Jun 06 2017 Radovan Sroka - 1.8.19p2-9 +- RHEL 7.4 erratum +- removed patch for output truncation (1454571) which introduced regression + Resolves: rhbz#1360687 + +* Thu May 25 2017 Jakub Jelen - 1.8.19p2-8 +- RHEL 7.4 erratum +- Fixes CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing + Resolves: rhbz#1455402 + +* Tue May 23 2017 Daniel Kopecek - 1.8.19p2-7 +- RHEL 7.4 erratum +- added patch to fix output truncation (in some cases) when log_output + option is enabled + Resolves: rhbz#1454571 + +* Thu May 04 2017 Radovan Sroka - 1.8.19p2-6 +- RHEL 7.4 erratum +- added patch that fixes lecture option used as bolean + Resolves rhbz#1360687 + +* Tue Apr 25 2017 Radovan Sroka - 1.8.19p2-5 +- RHEL 7.4 erratum +- added doc patch about sudo lookup issue + Resolves: rhbz#1293306 +- added test suite patch + Resolves: rhbz#1360687 +- fixed use after free fqdn problem + Resolves: rhbz#1360687 + +* Tue Mar 21 2017 Tomas Sykora - 1.8.19p2-4 +- RHEL 7.4 erratum +- fixed cmnd_no_wait patch +- backported iolog_flush sudoers default + Resolves: rhbz#1369856 + Resolves: rhbz#1425853 + +* Wed Mar 08 2017 Tomas Sykora - 1.8.19p2-3 +- RHEL 7.4 eratum +- Fixes semicolon typo in digest backport patch from the previous build + Resolves: rhbz#1360687 + +* Wed Mar 08 2017 Tomas Sykora - 1.8.19p2-2 +- RHEL 7.4 erratum +- Fixes coverity scan issues created by our patches: + - fixed resource leaks and a compiler warning in digest backport patch + - removed needless code from cmnd_no_wait patch causing clang warning + - format of the last changelog message causes problems to rhpkg push, + so don't use that as a commit message + Resolves: rhbz#1360687 + +* Wed Mar 01 2017 Tomas Sykora - 1.8.19p2-1 +- RHEL 7.4 erratum + - Resolves: rhbz#1360687 - rebase to 1.8.19p2 + - Resolves: rhbz#1123526 - performance improvement + - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags + - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale + - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command + was runnable even if denied by sudoers when using LDAP or SSSD backend. + - Resolves: rhbz#1387303 - add ignore_iolog_errors option + - Resolves: rhbz#1389360 - wrong log file group ownership + - Resolves: rhbz#1389735 - add iolog_group, iolog_mode, iolog_user options + - Resolves: rhbz#1397169 - maxseq and ignore_iolog_errors options + - Resolves: rhbz#1403051 - add support for querying netgroups directly via LDAP + - Resolves: rhbz#1410086 - race condition while creating /var/log/sudo-io dir + - Resolves: rhbz#1413160 - add ignore_unknown_defaults flag + - Resolves: rhbz#1254772 - ability to export sudoers in json format + - Resolves: rhbz#1417187 - wrong reference to config file in systax error message + - Resolves: rhbz#1424575 - visudo was not printing severity of error/warning message + +* Wed Nov 23 2016 Daniel Kopecek - 1.8.6p7-21 +- Update noexec syscall blacklist +- Fixes CVE-2016-7032 and CVE-2016-7076 + Resolves: rhbz#1391940 + +* Tue Jul 19 2016 Daniel Kopecek - 1.8.6p7-20 +- RHEL 7.3 erratum + - fixed visudo's -q flag + Resolves: rhbz#1350828 + +* Tue Jun 14 2016 Daniel Kopecek - 1.8.6p7-19 +- RHEL 7.3 erratum + - removed INPUTRC from env_keep to prevent a potential info leak + Resolves: rhbz#1340700 + +* Wed May 11 2016 Daniel Kopecek - 1.8.6p7-18 +- RHEL 7.3 erratum + - removed requiretty flag from the default sudoers policy + - backported pam_service and pam_login_service defaults options + - implemented netgroup_tuple defaults option for changing netgroup + processing semantics + - fixed user matching logic in the LDAP nss backend + - don't allow visudo to accept an invalid sudoers file + - fixed a bug causing that non-root users can list privileges of + other users + - modified digest check documentation to mention the raciness of + the checking mechanism + Resolves: rhbz#1196451 + Resolves: rhbz#1247230 + Resolves: rhbz#1334331 + Resolves: rhbz#1334360 + Resolves: rhbz#1261998 + Resolves: rhbz#1313364 + Resolves: rhbz#1312486 + Resolves: rhbz#1268958 + Resolves: rhbz#1335039 + Resolves: rhbz#1335042 + Resolves: rhbz#1335045 + Resolves: rhbz#1273243 + Resolves: rhbz#1299883 + +* Mon Feb 15 2016 Daniel Kopecek - 1.8.6p7-17 +- fixed bug in closefrom_override defaults option + Resolves: rhbz#1297062 + +* Tue Sep 1 2015 Daniel Kopecek - 1.8.6p7-16 +- RHEL 7.2 erratum + - show the digest type in warning messages + Resolves: rhbz#1183818 + +* Tue Sep 1 2015 Daniel Kopecek - 1.8.6p7-15 +- RHEL 7.2 erratum + - fixed compilation of testing binaries during make check + - added legacy group processing patch + - replaced buggy base64 decoder with a public domain implementation + Resolves: rhbz#1254621 + Resolves: rhbz#1183818 + Resolves: rhbz#1247591 + +* Tue Jul 7 2015 Daniel Kopecek - 1.8.6p7-14 +- RHEL 7.2 erratum + - backported command digest specification + - fixed CVE-2014-9680 sudo: unsafe handling of TZ environment variable + - fixed typos in sudoers.ldap man page + - fixed handling of double-quoted sudoOption values in ldap, sssd sources + - fixed numeric uid specification support in ldap source + - fixed authentication flag logic in ldap source + - added the systemctl command to the SERVICES alias in the default sudoers file + Resolves: rhbz#1144446 + Resolves: rhbz#1235570 + Resolves: rhbz#1138259 + Resolves: rhbz#1183818 + Resolves: rhbz#1233607 + Resolves: rhbz#1144419 + Resolves: rhbz#1135539 + Resolves: rhbz#1215400 + +* Tue Sep 30 2014 Daniel Kopecek - 1.8.6p7-13 +- RHEL 7.1 erratum + - fixed issues found by covscan/clang-analyzer + Resolves: rhbz#1147616 + +* Mon Sep 29 2014 Daniel Kopecek - 1.8.6p7-12 +- RHEL 7.1 erratum + - don't retry authentication when ctrl-c pressed + - fix double-quote processing in Defaults options + - handle the "(none)" hostname correctly + - SSSD: fix sudoUser netgroup specification filtering + - SSSD: list correct user when -U -l specified + - SSSD: show rule names on long listing (-ll) + - fix infinite loop when duplicate entries are specified on the + sudoers nsswitch.conf line + Resolves: rhbz#1084488 + Resolves: rhbz#1088464 + Resolves: rhbz#1088825 + Resolves: rhbz#1092499 + Resolves: rhbz#1093099 + Resolves: rhbz#1096813 + Resolves: rhbz#1147497 + Resolves: rhbz#1147557 + +* Wed Feb 26 2014 Daniel Kopecek - 1.8.6p7-11 +- Fixed incorrect login shell path construction in sesh + (thanks fkrska@redhat.com for the patch) + Resolves: rhbz#1065418 + +* Fri Jan 24 2014 Daniel Mach - 1.8.6p7-10 +- Mass rebuild 2014-01-24 + +* Wed Jan 15 2014 Daniel Kopecek - 1.8.6p7-9 +- allow the wheel group to use sudo + Resolves: rhbz#994623 + +* Fri Dec 27 2013 Daniel Mach - 1.8.6p7-8 +- Mass rebuild 2013-12-27 + +* Fri Nov 08 2013 Daniel Kopecek - 1.8.6p7-7 +- dropped wrong patch and fixed patch comments + Resolves: rhbz#1000389 + +* Thu Nov 07 2013 Daniel Kopecek - 1.8.6p7-6 +- fixed alias cycle detection code +- added debug messages for tracing of netgroup matching +- fixed aborting on realloc when displaying allowed commands +- sssd: filter netgroups in the sudoUser attribute +- parse uids/gids more strictly +- added debug messages to trace netgroup matching + Resolves: rhbz#1026904 + Resolves: rhbz#1026890 + Resolves: rhbz#1007014 + Resolves: rhbz#1026894 + Resolves: rhbz#1000389 + Resolves: rhbz#994566 + +* Mon Aug 05 2013 Daniel Kopecek - 1.8.6p7-5 +- added standalone manpage for sudo.conf and sudo-ldap.conf +- spec file cleanup + Resolves: rhbz#881258 + +* Mon Jul 29 2013 Daniel Kopecek - 1.8.6p7-4 +- added RHEL 6 patches + +* Wed Jul 24 2013 Daniel Kopecek - 1.8.6p7-3 +- synced sudoers, configure options & configuration files with + expected RHEL configuration + Resolves: rhbz#969373 + Resolves: rhbz#971009 + Resolves: rhbz#965124 + Resolves: rhbz#971013 + Resolves: rhbz#839705 + +* Thu Apr 11 2013 Daniel Kopecek - 1.8.6p7-2 +- depend on /usr/sbin/sendmail instead of the sendmail package + Resolves: rhbz#927842 + +* Thu Feb 28 2013 Daniel Kopecek - 1.8.6p7-1 +- update to 1.8.6p7 +- fixes CVE-2013-1775 and CVE-2013-1776 +- fixed several packaging issues (thanks to ville.skytta@iki.fi) + - build with system zlib. + - let rpmbuild strip libexecdir/*.so. + - own the %%{_docdir}/sudo-* dir. + - fix some rpmlint warnings (spaces vs tabs, unescaped macros). + - fix bogus %%changelog dates. + +* Fri Feb 15 2013 Fedora Release Engineering - 1.8.6p3-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_19_Mass_Rebuild + +* Mon Nov 12 2012 Daniel Kopecek - 1.8.6p3-2 +- added upstream patch for a regression +- don't include arch specific files in the -devel subpackage +- ship only one sample plugin in the -devel subpackage + +* Tue Sep 25 2012 Daniel Kopecek - 1.8.6p3-1 +- update to 1.8.6p3 +- drop -pipelist patch (fixed in upstream) + +* Thu Sep 6 2012 Daniel Kopecek - 1.8.6-1 +- update to 1.8.6 + +* Thu Jul 26 2012 Daniel Kopecek - 1.8.5-4 +- added patches that fix & improve SSSD support (thanks to pbrezina@redhat.com) +- re-enabled SSSD support +- removed libsss_sudo dependency + +* Tue Jul 24 2012 Bill Nottingham - 1.8.5-3 +- flip sudoers2ldif executable bit after make install, not in setup + +* Sat Jul 21 2012 Fedora Release Engineering - 1.8.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild + +* Thu May 17 2012 Daniel Kopecek - 1.8.5-1 +- update to 1.8.5 +- fixed CVE-2012-2337 +- temporarily disabled SSSD support + +* Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 +- fixed problems with undefined symbols (rhbz#798517) + +* Wed Feb 22 2012 Daniel Kopecek - 1.8.3p1-5 +- SSSD patch update + +* Tue Feb 7 2012 Daniel Kopecek - 1.8.3p1-4 +- added SSSD support + +* Thu Jan 26 2012 Daniel Kopecek - 1.8.3p1-3 +- added patch for CVE-2012-0809 + +* Sat Jan 14 2012 Fedora Release Engineering - 1.8.3p1-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild + +* Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 +- update to 1.8.3p1 +- disable output word wrapping if the output is piped + +* Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 +- Remove execute bit from sample script in docs so we don't pull in perl + +* Tue Jul 12 2011 Daniel Kopecek - 1.8.1p2-1 +- rebase to 1.8.1p2 +- removed .sudoi patch +- fixed typo: RELPRO -> RELRO +- added -devel subpackage for the sudo_plugin.h header file +- use default ldap configuration files again + +* Fri Jun 3 2011 Daniel Kopecek - 1.7.4p5-4 +- build with RELRO + +* Wed Feb 09 2011 Fedora Release Engineering - 1.7.4p5-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild + +* Mon Jan 17 2011 Daniel Kopecek - 1.7.4p5-2 +- rebase to 1.7.4p5 +- fixed sudo-1.7.4p4-getgrouplist.patch +- fixes CVE-2011-0008, CVE-2011-0010 + +* Tue Nov 30 2010 Daniel Kopecek - 1.7.4p4-5 +- anybody in the wheel group has now root access (using password) (rhbz#656873) +- sync configuration paths with the nss_ldap package (rhbz#652687) + +* Wed Sep 29 2010 Daniel Kopecek - 1.7.4p4-4 +- added upstream patch to fix rhbz#638345 + +* Mon Sep 20 2010 Daniel Kopecek - 1.7.4p4-3 +- added patch for #635250 +- /var/run/sudo -> /var/db/sudo in .spec + +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-2 +- sudo now uses /var/db/sudo for timestamps + +* Tue Sep 7 2010 Daniel Kopecek - 1.7.4p4-1 +- update to new upstream version +- new command available: sudoreplay +- use native audit support +- corrected license field value: BSD -> ISC + +* Wed Jun 2 2010 Daniel Kopecek - 1.7.2p6-2 +- added patch that fixes insufficient environment sanitization issue (#598154) + +* Wed Apr 14 2010 Daniel Kopecek - 1.7.2p6-1 +- update to new upstream version +- merged .audit and .libaudit patch +- added sudoers.ldap.5* to files + +* Mon Mar 1 2010 Daniel Kopecek - 1.7.2p5-2 +- update to new upstream version + +* Tue Feb 16 2010 Daniel Kopecek - 1.7.2p2-5 +- fixed no valid sudoers sources found (#558875) + +* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-4 +- audit related Makefile.in and configure.in corrections +- added --with-audit configure option +- removed call to libtoolize + +* Wed Feb 10 2010 Daniel Kopecek - 1.7.2p2-3 +- fixed segfault when #include directive is used in cycles (#561336) + +* Fri Jan 8 2010 Ville Skyttä - 1.7.2p2-2 +- Add /etc/sudoers.d dir and use it in default config (#551470). +- Drop *.pod man page duplicates from docs. + +* Thu Jan 07 2010 Daniel Kopecek - 1.7.2p2-1 +- new upstream version 1.7.2p2-1 +- commented out unused aliases in sudoers to make visudo happy (#550239) + +* Fri Aug 21 2009 Tomas Mraz - 1.7.1-7 +- rebuilt with new audit + +* Thu Aug 20 2009 Daniel Kopecek 1.7.1-6 +- moved secure_path from compile-time option to sudoers file (#517428) + +* Sun Jul 26 2009 Fedora Release Engineering - 1.7.1-5 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_12_Mass_Rebuild + +* Thu Jul 09 2009 Daniel Kopecek 1.7.1-4 +- moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch) +- epoch number sync + +* Mon Jun 22 2009 Daniel Kopecek 1.7.1-1 +- updated sudo to version 1.7.1 +- fixed small bug in configure.in (sudo-1.7.1-conffix.patch) + +* Tue Feb 24 2009 Daniel Kopecek 1.6.9p17-6 +- fixed building with new libtool +- fix for incorrect handling of groups in Runas_User +- added /usr/local/sbin to secure-path + +* Tue Jan 13 2009 Daniel Kopecek 1.6.9p17-3 +- build with sendmail installed +- Added /usr/local/bin to secure-path + +* Tue Sep 02 2008 Peter Vrabec 1.6.9p17-2 +- adjust audit patch, do not scream when kernel is + compiled without audit netlink support (#401201) + +* Fri Jul 04 2008 Peter Vrabec 1.6.9p17-1 +- upgrade + +* Wed Jun 18 2008 Peter Vrabec 1.6.9p13-7 +- build with newer autoconf-2.62 (#449614) + +* Tue May 13 2008 Peter Vrabec 1.6.9p13-6 +- compiled with secure path (#80215) + +* Mon May 05 2008 Peter Vrabec 1.6.9p13-5 +- fix path to updatedb in /etc/sudoers (#445103) + +* Mon Mar 31 2008 Peter Vrabec 1.6.9p13-4 +- include ldap files in rpm package (#439506) + +* Thu Mar 13 2008 Peter Vrabec 1.6.9p13-3 +- include [sudo] in password prompt (#437092) + +* Tue Mar 04 2008 Peter Vrabec 1.6.9p13-2 +- audit support improvement + +* Thu Feb 21 2008 Peter Vrabec 1.6.9p13-1 +- upgrade to the latest upstream release + +* Wed Feb 06 2008 Peter Vrabec 1.6.9p12-1 +- upgrade to the latest upstream release +- add selinux support + +* Mon Feb 04 2008 Dennis Gilmore 1.6.9p4-6 +- sparc64 needs to be in the -fPIE list with s390 + +* Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 +- fix complains about audit_log_user_command(): Connection + refused (#401201) + +* Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 +- Rebuild for deps + +* Wed Dec 05 2007 Release Engineering - 1.6.9p4-3 +- Rebuild for openssl bump + +* Thu Aug 30 2007 Peter Vrabec 1.6.9p4-2 +- fix autotools stuff and add audit support + +* Mon Aug 20 2007 Peter Vrabec 1.6.9p4-1 +- upgrade to upstream release + +* Thu Apr 12 2007 Peter Vrabec 1.6.8p12-14 +- also use getgrouplist() to determine group membership (#235915) + +* Mon Feb 26 2007 Peter Vrabec 1.6.8p12-13 +- fix some spec file issues + +* Thu Dec 14 2006 Peter Vrabec 1.6.8p12-12 +- fix rpmlint issue + +* Thu Oct 26 2006 Peter Vrabec 1.6.8p12-11 +- fix typo in sudoers file (#212308) + +* Sun Oct 01 2006 Jesse Keating - 1.6.8p12-10 +- rebuilt for unwind info generation, broken in gcc-4.1.1-21 + +* Thu Sep 21 2006 Peter Vrabec 1.6.8p12-9 +- fix sudoers file, X apps didn't work (#206320) + +* Tue Aug 08 2006 Peter Vrabec 1.6.8p12-8 +- use Red Hat specific default sudoers file + +* Sun Jul 16 2006 Karel Zak 1.6.8p12-7 +- fix #198755 - make login processes (sudo -i) initialise session keyring + (thanks for PAM config files to David Howells) +- add IPv6 support (patch by Milan Zazrivec) + +* Wed Jul 12 2006 Jesse Keating - 1.6.8p12-6.1 +- rebuild + +* Mon May 29 2006 Karel Zak 1.6.8p12-6 +- fix #190062 - "ssh localhost sudo su" will show the password in clear + +* Tue May 23 2006 Karel Zak 1.6.8p12-5 +- add LDAP support (#170848) + +* Fri Feb 10 2006 Jesse Keating - 1.6.8p12-4.1 +- bump again for double-long bug on ppc(64) + +* Wed Feb 8 2006 Karel Zak 1.6.8p12-4 +- reset env. by default + +* Tue Feb 07 2006 Jesse Keating - 1.6.8p12-3.1 +- rebuilt for new gcc4.1 snapshot and glibc changes + +* Mon Jan 23 2006 Dan Walsh 1.6.8p12-3 +- Remove selinux patch. It has been decided that the SELinux patch for sudo is +- no longer necessary. In tageted policy it had no effect. In strict/MLS policy +- We require the person using sudo to execute newrole before using sudo. + +* Fri Dec 09 2005 Jesse Keating +- rebuilt + +* Fri Nov 25 2005 Karel Zak 1.6.8p12-1 +- new upstream version 1.6.8p12 + +* Tue Nov 8 2005 Karel Zak 1.6.8p11-1 +- new upstream version 1.6.8p11 + +* Thu Oct 13 2005 Tomas Mraz 1.6.8p9-6 +- use include instead of pam_stack in pam config + +* Tue Oct 11 2005 Karel Zak 1.6.8p9-5 +- enable interfaces in selinux patch +- merge sudo-1.6.8p8-sesh-stopsig.patch to selinux patch + +* Mon Sep 19 2005 Karel Zak 1.6.8p9-4 +- fix debuginfo + +* Mon Sep 19 2005 Karel Zak 1.6.8p9-3 +- fix #162623 - sesh hangs when child suspends + +* Mon Aug 1 2005 Dan Walsh 1.6.8p9-2 +- Add back in interfaces call, SELinux has been fixed to work around + +* Tue Jun 21 2005 Karel Zak 1.6.8p9-1 +- new version 1.6.8p9 (resolve #161116 - CAN-2005-1993 sudo trusted user arbitrary command execution) + +* Tue May 24 2005 Karel Zak 1.6.8p8-2 +- fix #154511 - sudo does not use limits.conf + +* Mon Apr 4 2005 Thomas Woerner 1.6.8p8-1 +- new version 1.6.8p8: new sudoedit and sudo_noexec + +* Wed Feb 9 2005 Thomas Woerner 1.6.7p5-31 +- rebuild + +* Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 +- added missing BuildRequires for libselinux-devel (#132883) + +* Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 +- Fix missing param error in sesh + +* Mon Sep 27 2004 Dan Walsh 1.6.7p5-29 +- Remove full patch check from sesh + +* Thu Jul 8 2004 Dan Walsh 1.6.7p5-28 +- Fix selinux patch to switch to root user + +* Tue Jun 15 2004 Elliot Lee +- rebuilt + +* Tue Apr 13 2004 Dan Walsh 1.6.7p5-26 +- Eliminate tty handling from selinux + +* Thu Apr 1 2004 Thomas Woerner 1.6.7p5-25 +- fixed spec file: sesh in file section with selinux flag (#119682) + +* Tue Mar 30 2004 Colin Walters 1.6.7p5-24 +- Enhance sesh.c to fork/exec children itself, to avoid + having sudo reap all domains. +- Only reinstall default signal handlers immediately before + exec of child with SELinux patch + +* Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 +- change to default to sysadm_r +- Fix tty handling + +* Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 +- Add /bin/sesh to run selinux code. +- replace /bin/bash -c with /bin/sesh + +* Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 +- Hard code to use "/bin/bash -c" for selinux + +* Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 +- Eliminate closing and reopening of terminals, to match su. + +* Mon Mar 15 2004 Dan Walsh 1.6.7p5-19 +- SELinux fixes to make transitions work properly + +* Fri Mar 5 2004 Thomas Woerner 1.6.7p5-18 +- pied sudo + +* Fri Feb 13 2004 Elliot Lee +- rebuilt + +* Tue Jan 27 2004 Dan Walsh 1.6.7p5-16 +- Eliminate interfaces call, since this requires big SELinux privs +- and it seems to be useless. + +* Tue Jan 27 2004 Karsten Hopp 1.6.7p5-15 +- visudo requires vim-minimal or setting EDITOR to something useful (#68605) + +* Mon Jan 26 2004 Dan Walsh 1.6.7p5-14 +- Fix is_selinux_enabled call + +* Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 +- Clean up patch on failure + +* Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 +- Remove sudo.te for now. + +* Fri Jan 2 2004 Dan Walsh 1.6.7p5-11 +- Fix usage message + +* Mon Dec 22 2003 Dan Walsh 1.6.7p5-10 +- Clean up sudo.te to not blow up if pam.te not present + +* Thu Dec 18 2003 Thomas Woerner +- added missing BuildRequires for groff + +* Tue Dec 16 2003 Jeremy Katz 1.6.7p5-9 +- remove left-over debugging code + +* Tue Dec 16 2003 Dan Walsh 1.6.7p5-8 +- Fix terminal handling that caused Sudo to exit on non selinux machines. + +* Mon Dec 15 2003 Dan Walsh 1.6.7p5-7 +- Remove sudo_var_run_t which is now pam_var_run_t + +* Fri Dec 12 2003 Dan Walsh 1.6.7p5-6 +- Fix terminal handling and policy + +* Thu Dec 11 2003 Dan Walsh 1.6.7p5-5 +- Fix policy + +* Thu Nov 13 2003 Dan Walsh 1.6.7p5-4.sel +- Turn on SELinux support + +* Tue Jul 29 2003 Dan Walsh 1.6.7p5-3 +- Add support for SELinux + +* Wed Jun 04 2003 Elliot Lee +- rebuilt + +* Mon May 19 2003 Thomas Woerner 1.6.7p5-1 + +* Wed Jan 22 2003 Tim Powers +- rebuilt + +* Tue Nov 12 2002 Nalin Dahyabhai 1.6.6-2 +- remove absolute path names from the PAM configuration, ensuring that the + right modules get used for whichever arch we're built for +- don't try to install the FAQ, which isn't there any more + +* Thu Jun 27 2002 Bill Nottingham 1.6.6-1 +- update to 1.6.6 + +* Fri Jun 21 2002 Tim Powers +- automated rebuild + +* Thu May 23 2002 Tim Powers +- automated rebuild + +* Thu Apr 18 2002 Bernhard Rosenkraenzer 1.6.5p2-2 +- Fix bug #63768 + +* Thu Mar 14 2002 Bernhard Rosenkraenzer 1.6.5p2-1 +- 1.6.5p2 + +* Fri Jan 18 2002 Bernhard Rosenkraenzer 1.6.5p1-1 +- 1.6.5p1 +- Hope this "a new release per day" madness stops ;) + +* Thu Jan 17 2002 Bernhard Rosenkraenzer 1.6.5-1 +- 1.6.5 + +* Tue Jan 15 2002 Bernhard Rosenkraenzer 1.6.4p1-1 +- 1.6.4p1 + +* Mon Jan 14 2002 Bernhard Rosenkraenzer 1.6.4-1 +- Update to 1.6.4 + +* Mon Jul 23 2001 Bernhard Rosenkraenzer 1.6.3p7-2 +- Add build requirements (#49706) +- s/Copyright/License/ +- bzip2 source + +* Sat Jun 16 2001 Than Ngo +- update to 1.6.3p7 +- use %%{_tmppath} + +* Fri Feb 23 2001 Bernhard Rosenkraenzer +- 1.6.3p6, fixes buffer overrun + +* Tue Oct 10 2000 Bernhard Rosenkraenzer +- 1.6.3p5 + +* Wed Jul 12 2000 Prospector +- automatic rebuild + +* Tue Jun 06 2000 Karsten Hopp +- fixed owner of sudo and visudo + +* Thu Jun 1 2000 Nalin Dahyabhai +- modify PAM setup to use system-auth +- clean up buildrooting by using the makeinstall macro + +* Tue Apr 11 2000 Bernhard Rosenkraenzer +- initial build in main distrib +- update to 1.6.3 +- deal with compressed man pages + +* Tue Dec 14 1999 Preston Brown +- updated to 1.6.1 for Powertools 6.2 +- config files are now noreplace. + +* Thu Jul 22 1999 Tim Powers +- updated to 1.5.9p2 for Powertools 6.1 + +* Wed May 12 1999 Bill Nottingham +- sudo is configured with pam. There's no pam.d file. Oops. + +* Mon Apr 26 1999 Preston Brown +- upgraded to 1.59p1 for powertools 6.0 + +* Tue Oct 27 1998 Preston Brown +- fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) + +* Thu Oct 08 1998 Michael Maher +- built package for 5.2 + +* Mon May 18 1998 Michael Maher +- updated SPEC file + +* Thu Jan 29 1998 Otto Hammersmith +- updated to 1.5.4 + +* Tue Nov 18 1997 Otto Hammersmith +- built for glibc, no problems + +* Fri Apr 25 1997 Michael Fulbright +- Fixed for 4.2 PowerTools +- Still need to be pamified +- Still need to move stmp file to /var/log + +* Mon Feb 17 1997 Michael Fulbright +- First version for PowerCD.