rpms / sudo

Clone
Source Code
GIT

#17 Update to 1.9.0b4 + patch for setrlimit(RLIMIT_CORE) rootless container warnings
Merged 4 years ago by rsroka. Opened 4 years ago by alakatos.
rpms/ alakatos/sudo f31  into  f31

file modified
+1 
@@ -21,3 +21,4 @@ 
 

  /sudo-1.8.28p1.tar.gz
 

  /sudo-1.8.29.tar.gz
 

  /sudo-1.9.0b1.tar.gz
 

+ /sudo-1.9.0b4.tar.gz

file modified
+1 -1 
@@ -1,1 +1,1 @@ 
 

- SHA512 (sudo-1.9.0b1.tar.gz) = 7459d398514b54c6898a3eaebca141f39af661cda51c007e068bea1cc1860df1bc66ea13c752da8f6bf3d574ba92e337874b20279e1400cfea99982a469f5435
 

+ SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559

file added
+149 
@@ -0,0 +1,149 @@ 
 

+  changeset 12288:1064b906ca68
 

+ 

+ Ignore a failure to restore the RLIMIT_CORE resource limit.
 

+ Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY
 

+ if we set the limit to zero, even for root.  This is not a problem
 

+ outside the container.
 

+ author 	Todd C. Miller <Todd.Miller@sudo.ws>
 

+ date 	Sat, 14 Mar 2020 11:13:55 -0600
 

+ parents 	72ca06a294b4
 

+ children 	40629e6fd692
 

+ files 	src/limits.c
 

+ diffstat 	1 files changed, 61 insertions(+), 10 deletions(-) [+]
 

+ line wrap: on
 

+  line diff
 

+ 

+ --- a/src/limits.c	Thu Mar 12 17:39:56 2020 -0600
 

+ +++ b/src/limits.c	Sat Mar 14 11:13:55 2020 -0600
 

+ @@ -114,13 +114,21 @@
 

+ 

+      if (getrlimit(RLIMIT_CORE, &corelimit) == -1)
 

+  	sudo_warn("getrlimit(RLIMIT_CORE)");
 

+ +    sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",
 

+ +	(long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
 

+      if (setrlimit(RLIMIT_CORE, &rl) == -1)
 

+  	sudo_warn("setrlimit(RLIMIT_CORE)");
 

+  #ifdef __linux__
 

+      /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */
 

+ -    if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)
 

+ +    if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {
 

+ +	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +	    "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");
 

+  	dumpflag = 0;
 

+ -    (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);
 

+ +    }
 

+ +    if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {
 

+ +	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +	    "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
 

+ +    }
 

+  #endif /* __linux__ */
 

+      coredump_disabled = true;
 

+ 

+ @@ -136,10 +144,20 @@
 

+      debug_decl(restore_coredump, SUDO_DEBUG_UTIL);
 

+ 

+      if (coredump_disabled) {
 

+ -	if (setrlimit(RLIMIT_CORE, &corelimit) == -1)
 

+ -	    sudo_warn("setrlimit(RLIMIT_CORE)");
 

+ +	/*
 

+ +	 * Linux containers don't allow RLIMIT_CORE to be set back to
 

+ +	 * RLIM_INFINITY if we set the limit to zero, even for root.
 

+ +	 */
 

+ +	if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {
 

+ +	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +		"setrlimit(RLIMIT_CORE, [%lld, %lld])",
 

+ +		(long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);
 

+ +	}
 

+  #ifdef __linux__
 

+ -	(void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);
 

+ +	if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {
 

+ +	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +		"prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);
 

+ +	}
 

+  #endif /* __linux__ */
 

+      }
 

+      debug_return;
 

+ @@ -162,8 +180,14 @@
 

+ 

+      if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)
 

+  	sudo_warn("getrlimit(RLIMIT_NPROC)");
 

+ +    sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",
 

+ +	(long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
 

+      if (setrlimit(RLIMIT_NPROC, &rl) == -1) {
 

+  	rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;
 

+ +	sudo_debug_printf(SUDO_DEBUG_INFO,
 

+ +	    "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",
 

+ +	    (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,
 

+ +	    (long long)rl.rlim_cur, (long long)rl.rlim_max);
 

+  	if (setrlimit(RLIMIT_NPROC, &rl) != 0)
 

+  	    sudo_warn("setrlimit(RLIMIT_NPROC)");
 

+      }
 

+ @@ -180,8 +204,11 @@
 

+  #ifdef __linux__
 

+      debug_decl(restore_nproc, SUDO_DEBUG_UTIL);
 

+ 

+ -    if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)
 

+ -	sudo_warn("setrlimit(RLIMIT_NPROC)");
 

+ +    if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {
 

+ +	sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +	    "setrlimit(RLIMIT_NPROC, [%lld, %lld])",
 

+ +	    (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);
 

+ +    }
 

+ 

+      debug_return;
 

+  #endif /* __linux__ */
 

+ @@ -203,6 +230,11 @@
 

+  	struct saved_limit *lim = &saved_limits[idx];
 

+  	if (getrlimit(lim->resource, &lim->oldlimit) == -1)
 

+  	    continue;
 

+ +	sudo_debug_printf(SUDO_DEBUG_INFO,
 

+ +	    "getrlimit(lim->name) -> [%lld, %lld]",
 

+ +	    (long long)lim->oldlimit.rlim_cur,
 

+ +	    (long long)lim->oldlimit.rlim_max);
 

+ +
 

+  	lim->saved = true;
 

+  	if (lim->newlimit.rlim_cur != RLIM_INFINITY) {
 

+  	    /* Don't reduce the soft resource limit. */
 

+ @@ -217,13 +249,28 @@
 

+  		lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
 

+  	}
 

+  	if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
 

+ -	    if (lim->fallback != NULL)
 

+ -		rc = setrlimit(lim->resource, lim->fallback);
 

+ +	    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +		"setrlimit(%s, [%lld, %lld])", lim->name,
 

+ +		(long long)lim->newlimit.rlim_cur,
 

+ +		(long long)lim->newlimit.rlim_max);
 

+ +	    if (lim->fallback != NULL) {
 

+ +		if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {
 

+ +		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +			"setrlimit(%s, [%lld, %lld])", lim->name,
 

+ +			(long long)lim->fallback->rlim_cur,
 

+ +			(long long)lim->fallback->rlim_max);
 

+ +		}
 

+ +	    }
 

+  	    if (rc == -1) {
 

+  		/* Try setting new rlim_cur to old rlim_max. */
 

+  		lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;
 

+  		lim->newlimit.rlim_max = lim->oldlimit.rlim_max;
 

+ -		rc = setrlimit(lim->resource, &lim->newlimit);
 

+ +		if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {
 

+ +		    sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +			"setrlimit(%s, [%lld, %lld])", lim->name,
 

+ +			(long long)lim->newlimit.rlim_cur,
 

+ +			(long long)lim->newlimit.rlim_max);
 

+ +		}
 

+  	    }
 

+  	    if (rc == -1)
 

+  		sudo_warn("setrlimit(%s)", lim->name);
 

+ @@ -254,6 +301,10 @@
 

+  		if (rc != -1 || errno != EINVAL)
 

+  		    break;
 

+ 

+ +		sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_ERRNO,
 

+ +		    "setrlimit(%s, [%lld, %lld])", lim->name,
 

+ +		    (long long)rl.rlim_cur, (long long)rl.rlim_max);
 

+ +
 

+  		/*
 

+  		 * Soft limit could be lower than current resource usage.
 

+  		 * This can be an issue on NetBSD with RLIMIT_STACK and ASLR.

file modified
+17 -5 
@@ -1,10 +1,13 @@ 
 

+ %global patchlevel b4
 

+ %global upstream_version %{version}%{patchlevel}
 

+ 

  Summary: Allows restricted root access for specified users
 

  Name: sudo
 

  Version: 1.9.0
 

- Release: 0.1.b1%{?dist}
 

+ Release: 0.1.%{patchlevel}%{?dist}
 

  License: ISC
 

  URL: http://www.courtesan.com/sudo/
 

- Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}b1.tar.gz
 

+ Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz
 

  Source1: sudoers
 

  Requires: pam
 

  Recommends: vim-minimal
 
@@ -24,6 +27,8 @@ 
 

  

  # don't strip
 

  Patch1: sudo-1.6.7p5-strip.patch
 

+ # https://www.sudo.ws/repos/sudo/rev/1064b906ca68
 

+ Patch2: sudo-1.9-RLIMIT_CORE.patch
 

  

  %description
 

  Sudo (superuser do) allows a system administrator to give certain
 
@@ -45,9 +50,10 @@ 
 

  plugins that use %{name}.
 

  

  %prep
 

- %setup -q -n sudo-1.9.0b1
 

+ %setup -q -n %{name}-%{upstream_version}
 

  

  %patch1 -p1 -b .strip
 

+ %patch2 -p1 -b .orig
 

  

  %build
 

  # Remove bundled copy of zlib
 
@@ -166,7 +172,9 @@ 
 

  %attr(0755,root,root) %{_libexecdir}/sudo/sesh
 

  %attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
 

  %attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
 

+ %attr(0644,root,root) %{_libexecdir}/sudo/audit_json.so
 

  %attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
 

+ %attr(0644,root,root) %{_libexecdir}/sudo/sample_approval.so
 

  %attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
 

  %attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.?.?.?
 

  %{_libexecdir}/sudo/libsudo_util.so.?
 
@@ -202,6 +210,12 @@ 
 

  %{_mandir}/man8/sudo_plugin.8*
 

  

  %changelog
 

+ * Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4
 

+ - update to latest development version 1.9.0b4
 

+ Resolves: rhbz#1816593
 

+ - setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
 

+ Resolves: rhbz#1773148
 

+ 

  * Mon Feb 24 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b1
 

  - update to latest development version 1.9.0b1
 

  - added sudo_logsrvd and sudo_sendlog to files and their appropriate man pages
 
@@ -215,8 +229,6 @@ 
 

  - attacker with access to a Runas ALL sudoer account can impersonate a nonexistent user
 

  Resolves: rhbz#1786705
 

  - fixes CVE-2019-19232
 

- - setrlimit(RLIMIT_CORE): Operation not permitted warning message fix
 

- Resolves: rhbz#1773148
 

  

  * Mon Nov 11 2019 Radovan Sroka <rsroka@redhat.com> - 1.8.29-1
 

  - rebase to 1.8.29

  • Update to latest development version 1.9.0b4
    Resolves: rhbz#1816593
  • upstream patch for setrlimit(RLIMIT_CORE) rootless container warnings
    Resolves: rhbz#1773148

Pull-Request has been merged by rsroka
4 years ago
Changes Summary 4
+1 -0
file changed
.gitignore
+1 -1
file changed
sources
+149
file added
sudo-1.9-RLIMIT_CORE.patch
+17 -5
file changed
sudo.spec
Powered by Pagure 5.14.1
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.