From 93366c6f61d6ee43765f2264fe7767d908a1fc1b Mon Sep 17 00:00:00 2001 From: Daniel Kopeček Date: Mar 01 2010 12:33:35 +0000 Subject: - update to new upstream version - backport changes from F-12 --- diff --git a/.cvsignore b/.cvsignore index fd44cc4..a82ba2c 100644 --- a/.cvsignore +++ b/.cvsignore @@ -1,2 +1,2 @@ -sudo-1.7.1.tar.gz -sudo-1.6.8p12-sudoers +sudo-1.7.2p5.tar.gz +sudo-1.7.2p2-sudoers diff --git a/sources b/sources index 8075fb8..90e961f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -af672524b2c854a67612bf4c743f58b8 sudo-1.7.1.tar.gz -f9b28fbbb09ec22ca543c758db44d2cd sudo-1.6.8p12-sudoers +398f584e831bd75b3c0179e28368c2a3 sudo-1.7.2p5.tar.gz +d657d8d55ecdf88a2d11da73ac5662a4 sudo-1.7.2p2-sudoers diff --git a/sudo-1.7.2p1-audit.patch b/sudo-1.7.2p1-audit.patch new file mode 100644 index 0000000..409aa5b --- /dev/null +++ b/sudo-1.7.2p1-audit.patch @@ -0,0 +1,400 @@ +diff -up /dev/null sudo-1.7.2p1/audit_help.c +--- /dev/null 2009-09-09 14:57:12.384002457 +0200 ++++ sudo-1.7.2p1/audit_help.c 2009-10-30 12:25:49.000000000 +0100 +@@ -0,0 +1,136 @@ ++/* ++ * Audit helper functions used throughout sudo ++ * ++ * Copyright (C) 2007, Red Hat, Inc. ++ * ++ * Redistribution and use in source and binary forms, with or without ++ * modification, are permitted provided that the following conditions ++ * are met: ++ * 1. Redistributions of source code must retain the above copyright ++ * notice, this list of conditions and the following disclaimer. ++ * 2. Redistributions in binary form must reproduce the above copyright ++ * notice, this list of conditions and the following disclaimer in the ++ * documentation and/or other materials provided with the distribution. ++ * 3. Neither the name of Julianne F. Haugh nor the names of its contributors ++ * may be used to endorse or promote products derived from this software ++ * without specific prior written permission. ++ * ++ * THIS SOFTWARE IS PROVIDED BY JULIE HAUGH AND CONTRIBUTORS ``AS IS'' AND ++ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE ++ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ++ * ARE DISCLAIMED. IN NO EVENT SHALL JULIE HAUGH OR CONTRIBUTORS BE LIABLE ++ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL ++ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS ++ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) ++ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT ++ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY ++ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF ++ * SUCH DAMAGE. ++ */ ++ ++#include ++ ++#ifdef WITH_AUDIT ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++#ifdef HAVE_SELINUX ++#include ++#endif ++ ++int audit_fd = -1; ++ ++void audit_help_open (void) ++{ ++ audit_fd = audit_open (); ++ if (audit_fd < 0) { ++ /* You get these only when the kernel doesn't have ++ * audit compiled in. */ ++ if (errno == EINVAL || errno == EPROTONOSUPPORT || ++ errno == EAFNOSUPPORT) ++ return; ++ fprintf (stderr, "Cannot open audit interface - aborting.\n"); ++ exit (1); ++ } ++} ++ ++/* ++ * This function will log a message to the audit system using a predefined ++ * message format. Parameter usage is as follows: ++ * ++ * type - type of message: AUDIT_USER_CMD ++ * command - the command being logged ++ * params - parames of the command ++ * result - 1 is "success" and 0 is "failed" ++ * ++ */ ++void audit_logger (int type, const char *command, const char *params, int result) ++{ ++ int err; ++ char *msg; ++ ++ if( audit_fd < 0 ) ++ return; ++ else { ++ ++ if( params ) ++ err = asprintf(&msg, "%s %s", command, params); ++ else ++ err = asprintf(&msg, "%s", command); ++ if (err < 0) { ++ fprintf (stderr, "Memory allocation for audit message wasn’t possible.\n"); ++ return; ++ } ++ ++ err = audit_log_user_command (audit_fd, type, msg, NULL, result); ++ /* The kernel supports auditing and we had ++ enough privilege to write to the socket. */ ++ if( err <= 0 && !((errno == EPERM && getuid() > 0) || errno == ECONNREFUSED ) ) { ++ perror("audit_log_user_command()"); ++ } ++ ++ free(msg); ++ } ++} ++ ++#ifdef HAVE_SELINUX ++int send_audit_message(int success, security_context_t old_context, ++ security_context_t new_context, const char *ttyn) ++{ ++ char *msg = NULL; ++ int rc; ++ ++ if (audit_fd < 0) ++ return -1; ++ ++ if (asprintf(&msg, "newrole: old-context=%s new-context=%s", ++ old_context ? old_context : "?", ++ new_context ? new_context : "?") < 0) { ++ fprintf(stderr, "Error allocating memory.\n"); ++ rc = -1; ++ goto out; ++ } ++ ++ rc = audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE, ++ msg, NULL, NULL, ttyn, success); ++ ++ if (rc <= 0) { ++ fprintf(stderr, "Error sending audit message.\n"); ++ rc = -1; ++ goto out; ++ } ++ rc = 0; ++ ++ out: ++ free(msg); ++ return rc; ++} ++#endif ++#endif /* WITH_AUDIT */ +diff -up sudo-1.7.2p1/configure.in.audit sudo-1.7.2p1/configure.in +--- sudo-1.7.2p1/configure.in.audit 2009-10-30 12:25:49.000000000 +0100 ++++ sudo-1.7.2p1/configure.in 2009-10-30 12:25:49.000000000 +0100 +@@ -180,6 +180,10 @@ dnl + dnl Options for --with + dnl + ++AC_ARG_WITH(audit, ++ [AC_HELP_STRING([--with-audit], [use auditing support @<:@default=yes if found@:>@])], ++ [with_audit=$withval], [with_audit=yes]) ++ + AC_ARG_WITH(CC, [AS_HELP_STRING([--with-CC], [C compiler to use])], + [case $with_CC in + yes) AC_MSG_ERROR(["must give --with-CC an argument."]) +@@ -1743,6 +1747,24 @@ dnl + : ${mansectsu='8'} + : ${mansectform='5'} + ++AC_SUBST(LIBAUDIT) ++if test "$with_audit" = "yes"; then ++ # See if we have the audit library ++ AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) ++ if test "$audit_header" = "yes"; then ++ AC_CHECK_LIB(audit, audit_log_user_command, ++ [AC_DEFINE(WITH_AUDIT, 1, [Define if you want to enable Audit messages]) ++ LIBAUDIT="-laudit"]) ++ fi ++ # See if we have the libcap library ++ AC_CHECK_HEADERS(sys/capability.h sys/prctl.h, [cap_header="yes"], [cap_header="no"]) ++ if test "$cap_header" = "yes"; then ++ AC_CHECK_LIB(cap, cap_init, ++ [AC_DEFINE(HAVE_LIBCAP, 1, [SELinux libcap support]) ++ SUDO_LIBS="${SUDO_LIBS} -lcap"]) ++ fi ++fi ++ + dnl + dnl Add in any libpaths or libraries specified via configure + dnl +diff -up sudo-1.7.2p1/Makefile.in.audit sudo-1.7.2p1/Makefile.in +--- sudo-1.7.2p1/Makefile.in.audit 2009-10-30 12:25:49.000000000 +0100 ++++ sudo-1.7.2p1/Makefile.in 2009-10-30 12:25:49.000000000 +0100 +@@ -125,6 +125,8 @@ HDRS = bsm_audit.h compat.h def_data.h d + + AUTH_OBJS = sudo_auth.o @AUTH_OBJS@ + ++AUDIT_OBJS = audit_help.o ++ + # Note: gram.o must come first here + COMMON_OBJS = gram.o alias.o alloc.o defaults.o error.o list.o match.o \ + toke.o redblack.o zero_bytes.o @NONUNIX_GROUPS_IMPL@ +@@ -132,7 +134,7 @@ COMMON_OBJS = gram.o alias.o alloc.o def + SUDO_OBJS = $(COMMON_OBJS) $(AUTH_OBJS) @SUDO_OBJS@ audit.o check.o env.o \ + getspwuid.o gettime.o goodpath.o fileops.o find_path.o \ + interfaces.o lbuf.o logging.o parse.o pwutil.o set_perms.o \ +- sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o ++ sudo.o sudo_edit.o sudo_nss.o term.o tgetpass.o $(AUDIT_OBJS) + + VISUDO_OBJS = $(COMMON_OBJS) visudo.o fileops.o gettime.o goodpath.o \ + find_path.o pwutil.o +@@ -363,6 +365,9 @@ securid5.o: $(authdir)/securid5.c $(AUTH + sia.o: $(authdir)/sia.c $(AUTHDEP) + $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(authdir)/sia.c + ++audit_help.o: audit_help.c sudo.h ++ $(CC) -c $(CPPFLAGS) $(CFLAGS) $(DEFS) $(OPTIONS) $(LIBADUIT) $(srcdir)/audit_help.c ++ + sudo.man.in: $(srcdir)/sudo.pod + @rm -f $(srcdir)/$@ + ( cd $(srcdir); mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p sudo.man.pl >> $@ ) +diff -up sudo-1.7.2p1/set_perms.c.audit sudo-1.7.2p1/set_perms.c +--- sudo-1.7.2p1/set_perms.c.audit 2009-06-25 14:44:33.000000000 +0200 ++++ sudo-1.7.2p1/set_perms.c 2009-10-30 12:32:03.000000000 +0100 +@@ -48,6 +48,10 @@ + #ifdef HAVE_LOGIN_CAP_H + # include + #endif ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++# include ++# include ++#endif + + #include "sudo.h" + +@@ -130,16 +134,59 @@ set_perms(perm) + break; + + case PERM_FULL_RUNAS: +- /* headed for exec(), assume euid == ROOT_UID */ +- runas_setup(); +- if (setresuid(def_stay_setuid ? +- user_uid : runas_pw->pw_uid, +- runas_pw->pw_uid, runas_pw->pw_uid)) { +- errstr = "unable to change to runas uid"; +- goto bad; +- } ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++ { /* BEGIN CAP BLOCK */ ++ cap_t new_caps; ++ cap_value_t cap_list[] = { CAP_AUDIT_WRITE }; ++ ++ if (runas_pw->pw_uid != ROOT_UID) { ++ new_caps = cap_init (); ++ if (!new_caps) { ++ errstr = "Error initing capabilities, aborting.\n"; ++ goto bad; ++ } ++ ++ if(cap_set_flag(new_caps, CAP_PERMITTED, 1, cap_list, CAP_SET) || ++ cap_set_flag(new_caps, CAP_EFFECTIVE, 1, cap_list, CAP_SET)) { ++ errstr = "Error setting capabilities, aborting\n"; ++ goto bad; ++ } ++ ++ if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { ++ errstr = "Error setting KEEPCAPS, aborting\n"; ++ goto bad; ++ } ++ } ++#endif ++ /* headed for exec(), assume euid == ROOT_UID */ ++ runas_setup(); ++ if (setresuid(def_stay_setuid ? ++ user_uid : runas_pw->pw_uid, ++ runas_pw->pw_uid, runas_pw->pw_uid)) { ++ errstr = "unable to change to runas uid"; ++ goto bad; ++ } ++ ++#if defined(WITH_AUDIT) && defined(HAVE_LIBCAP) ++ if (runas_pw->pw_uid != ROOT_UID) { ++ if (prctl(PR_SET_KEEPCAPS, 0, 0, 0, 0) < 0) { ++ errstr = "Error resetting KEEPCAPS, aborting\n"; ++ goto bad; ++ } ++ ++ if (cap_set_proc(new_caps)) { ++ errstr = "Error dropping capabilities, aborting\n"; ++ goto bad; ++ } ++ ++ if (cap_free (new_caps)) { ++ errstr = "Error freeing caps\n"; ++ goto bad; ++ } ++ } ++ } /* END CAP BLOCK */ ++#endif + break; +- + case PERM_SUDOERS: + /* assume euid == ROOT_UID, ruid == user */ + if (setresgid(-1, SUDOERS_GID, -1)) +diff -up sudo-1.7.2p1/sudo.c.audit sudo-1.7.2p1/sudo.c +--- sudo-1.7.2p1/sudo.c.audit 2009-10-30 12:25:49.000000000 +0100 ++++ sudo-1.7.2p1/sudo.c 2009-10-30 12:25:49.000000000 +0100 +@@ -95,6 +95,10 @@ + # include + #endif + ++#ifdef WITH_AUDIT ++#include ++#endif ++ + #include + #include "sudo.h" + #include "lbuf.h" +@@ -372,7 +376,7 @@ main(argc, argv, envp) + + if (safe_cmnd == NULL) + safe_cmnd = estrdup(user_cmnd); +- ++ + #ifdef HAVE_SETLOCALE + setlocale(LC_ALL, ""); + #endif +@@ -538,12 +542,26 @@ main(argc, argv, envp) + (void) sigaction(SIGQUIT, &saved_sa_quit, NULL); + (void) sigaction(SIGTSTP, &saved_sa_tstp, NULL); + ++ closefrom(def_closefrom + 1); ++ ++#if defined(WITH_AUDIT) ++ audit_help_open (); ++#endif ++ if (access(safe_cmnd, X_OK) != 0) { ++ warn ("unable to execute %s", safe_cmnd); ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif ++ exit(127); ++ } ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 1); ++#endif ++ + /* Close the password and group files and free up memory. */ + sudo_endpwent(); + sudo_endgrent(); + +- closefrom(def_closefrom + 1); +- + #ifndef PROFILING + if (ISSET(sudo_mode, MODE_BACKGROUND) && fork() > 0) { + syslog(LOG_AUTH|LOG_ERR, "fork"); +@@ -568,11 +586,17 @@ main(argc, argv, envp) + NewArgv[1] = safe_cmnd; + execv(_PATH_BSHELL, NewArgv); + } ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif + warning("unable to execute %s", safe_cmnd); + exit(127); + } else if (ISSET(validated, FLAG_NO_USER | FLAG_NO_HOST)) { + audit_failure(NewArgv, "No user or host"); + log_denial(validated, 1); ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif + exit(1); + } else { + if (def_path_info) { +@@ -594,6 +618,9 @@ main(argc, argv, envp) + log_denial(validated, 1); + } + audit_failure(NewArgv, "validation failure"); ++#ifdef WITH_AUDIT ++ audit_logger(AUDIT_USER_CMD, safe_cmnd, user_args, 0); ++#endif + exit(1); + } + exit(0); /* not reached */ +diff -up sudo-1.7.2p1/sudo.h.audit sudo-1.7.2p1/sudo.h +--- sudo-1.7.2p1/sudo.h.audit 2009-10-30 12:25:49.000000000 +0100 ++++ sudo-1.7.2p1/sudo.h 2009-10-30 12:39:16.000000000 +0100 +@@ -24,6 +24,8 @@ + #ifndef _SUDO_SUDO_H + #define _SUDO_SUDO_H + ++#include ++ + #include + #include + #include "compat.h" +@@ -340,4 +342,14 @@ extern int sudo_mode; + extern int errno; + #endif + ++#ifdef WITH_AUDIT ++extern int audit_fd; ++extern void audit_help_open (void); ++extern void audit_logger (int, const char *, const char *, int); ++#ifdef HAVE_SELINUX ++# include ++extern int send_audit_message(int, security_context_t, security_context_t, const char *); ++#endif /* HAVE_SELINUX */ ++#endif /* WITH_AUDIT */ ++ + #endif /* _SUDO_SUDO_H */ diff --git a/sudo-1.7.2p1-envdebug.patch b/sudo-1.7.2p1-envdebug.patch new file mode 100644 index 0000000..e189c98 --- /dev/null +++ b/sudo-1.7.2p1-envdebug.patch @@ -0,0 +1,12 @@ +diff -up sudo-1.7.2p1/configure.in.envdebug sudo-1.7.2p1/configure.in +--- sudo-1.7.2p1/configure.in.envdebug 2009-10-30 12:18:09.000000000 +0100 ++++ sudo-1.7.2p1/configure.in 2009-10-30 12:19:01.000000000 +0100 +@@ -1214,7 +1214,7 @@ AC_ARG_ENABLE(env_debug, + [AS_HELP_STRING([--enable-env-debug], [Whether to enable environment debugging.])], + [ case "$enableval" in + yes) AC_MSG_RESULT(yes) +- AC_DEFINE(ENV_DEBUG) ++ AC_DEFINE(ENV_DEBUG, [], [Environment debugging.]) + ;; + no) AC_MSG_RESULT(no) + ;; diff --git a/sudo-1.7.2p1-login.patch b/sudo-1.7.2p1-login.patch new file mode 100644 index 0000000..aeb0cf6 --- /dev/null +++ b/sudo-1.7.2p1-login.patch @@ -0,0 +1,111 @@ +diff -up sudo-1.7.2p1/auth/pam.c.login sudo-1.7.2p1/auth/pam.c +--- sudo-1.7.2p1/auth/pam.c.login 2009-05-25 14:02:42.000000000 +0200 ++++ sudo-1.7.2p1/auth/pam.c 2009-10-30 12:15:48.000000000 +0100 +@@ -100,7 +100,13 @@ pam_init(pw, promptp, auth) + if (auth != NULL) + auth->data = (void *) &pam_status; + pam_conv.conv = sudo_conv; +- pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); ++#ifdef HAVE_PAM_LOGIN ++ if (ISSET(sudo_mode, MODE_LOGIN_SHELL)) ++ pam_status = pam_start("sudo-i", pw->pw_name, &pam_conv, &pamh); ++ else ++#endif ++ pam_status = pam_start("sudo", pw->pw_name, &pam_conv, &pamh); ++ + if (pam_status != PAM_SUCCESS) { + log_error(USE_ERRNO|NO_EXIT|NO_MAIL, "unable to initialize PAM"); + return(AUTH_FATAL); +diff -up sudo-1.7.2p1/configure.in.login sudo-1.7.2p1/configure.in +--- sudo-1.7.2p1/configure.in.login 2009-07-20 15:34:37.000000000 +0200 ++++ sudo-1.7.2p1/configure.in 2009-10-30 12:16:24.000000000 +0100 +@@ -394,6 +394,17 @@ AC_ARG_WITH(pam, [AS_HELP_STRING([--with + ;; + esac]) + ++AC_ARG_WITH(pam-login, [ --with-pam-login enable specific PAM session for sudo -i], ++[case $with_pam_login in ++ yes) AC_DEFINE([HAVE_PAM_LOGIN], [], ["Define to 1 if you use specific PAM session for sodo -i."]) ++ AC_MSG_CHECKING(whether to use PAM login) ++ AC_MSG_RESULT(yes) ++ ;; ++ no) ;; ++ *) AC_MSG_ERROR(["--with-pam-login does not take an argument."]) ++ ;; ++esac]) ++ + AC_ARG_WITH(AFS, [AS_HELP_STRING([--with-AFS], [enable AFS support])], + [case $with_AFS in + yes) AC_DEFINE(HAVE_AFS) +diff -up sudo-1.7.2p1/env.c.login sudo-1.7.2p1/env.c +--- sudo-1.7.2p1/env.c.login 2009-06-23 20:24:42.000000000 +0200 ++++ sudo-1.7.2p1/env.c 2009-10-30 12:15:48.000000000 +0100 +@@ -102,7 +102,7 @@ struct environment { + /* + * Prototypes + */ +-void rebuild_env __P((int, int)); ++void rebuild_env __P((int)); + static void sudo_setenv __P((const char *, const char *, int)); + static void sudo_putenv __P((char *, int, int)); + +@@ -562,8 +562,7 @@ matches_env_keep(var) + * Also adds sudo-specific variables (SUDO_*). + */ + void +-rebuild_env(sudo_mode, noexec) +- int sudo_mode; ++rebuild_env(noexec) + int noexec; + { + char **old_envp, **ep, *cp, *ps1; +diff -up sudo-1.7.2p1/sudo.c.login sudo-1.7.2p1/sudo.c +--- sudo-1.7.2p1/sudo.c.login 2009-05-27 02:49:07.000000000 +0200 ++++ sudo-1.7.2p1/sudo.c 2009-10-30 12:15:48.000000000 +0100 +@@ -126,7 +126,7 @@ static void usage_excl __P((int)) + __attribute__((__noreturn__)); + static struct passwd *get_authpw __P((void)); + extern int sudo_edit __P((int, char **, char **)); +-extern void rebuild_env __P((int, int)); ++extern void rebuild_env __P((int)); + void validate_env_vars __P((struct list_member *)); + void insert_env_vars __P((struct list_member *)); + +@@ -157,6 +157,8 @@ login_cap_t *lc; + char *login_style; + #endif /* HAVE_BSD_AUTH_H */ + sigaction_t saved_sa_int, saved_sa_quit, saved_sa_tstp; ++ ++int sudo_mode; + static char *runas_user; + static char *runas_group; + static struct sudo_nss_list *snl; +@@ -172,7 +174,7 @@ main(argc, argv, envp) + char **envp; + { + int sources = 0, validated; +- int fd, cmnd_status, sudo_mode, pwflag, rc = 0; ++ int fd, cmnd_status, pwflag, rc = 0; + sigaction_t sa; + struct sudo_nss *nss; + #if defined(SUDO_DEVEL) && defined(__OpenBSD__) +@@ -421,7 +423,7 @@ main(argc, argv, envp) + def_env_reset = FALSE; + + /* Build a new environment that avoids any nasty bits. */ +- rebuild_env(sudo_mode, def_noexec); ++ rebuild_env(def_noexec); + + /* Fill in passwd struct based on user we are authenticating as. */ + auth_pw = get_authpw(); +diff -up sudo-1.7.2p1/sudo.h.login sudo-1.7.2p1/sudo.h +--- sudo-1.7.2p1/sudo.h.login 2009-05-25 14:02:41.000000000 +0200 ++++ sudo-1.7.2p1/sudo.h 2009-10-30 12:15:48.000000000 +0100 +@@ -334,6 +334,7 @@ extern struct passwd *auth_pw, *list_pw; + extern int tgetpass_flags; + extern int long_list; + extern uid_t timestamp_uid; ++extern int sudo_mode; + #endif + #ifndef errno + extern int errno; diff --git a/sudo-1.7.2p2-libaudit.patch b/sudo-1.7.2p2-libaudit.patch new file mode 100644 index 0000000..3f1af38 --- /dev/null +++ b/sudo-1.7.2p2-libaudit.patch @@ -0,0 +1,32 @@ +diff -up sudo-1.7.2p2/configure.in.libaudit sudo-1.7.2p2/configure.in +--- sudo-1.7.2p2/configure.in.libaudit 2010-02-10 16:21:26.000000000 +0100 ++++ sudo-1.7.2p2/configure.in 2010-02-10 16:21:26.000000000 +0100 +@@ -1752,7 +1752,6 @@ dnl + : ${mansectsu='8'} + : ${mansectform='5'} + +-AC_SUBST(LIBAUDIT) + if test "$with_audit" = "yes"; then + # See if we have the audit library + AC_CHECK_HEADER(libaudit.h, [audit_header="yes"], [audit_header="no"]) +@@ -1770,6 +1769,8 @@ if test "$with_audit" = "yes"; then + fi + fi + ++AC_SUBST(LIBAUDIT) ++ + dnl + dnl Add in any libpaths or libraries specified via configure + dnl +diff -up sudo-1.7.2p2/Makefile.in.libaudit sudo-1.7.2p2/Makefile.in +--- sudo-1.7.2p2/Makefile.in.libaudit 2010-02-10 16:26:06.000000000 +0100 ++++ sudo-1.7.2p2/Makefile.in 2010-02-10 16:26:40.000000000 +0100 +@@ -44,7 +44,7 @@ INSTALL = $(SHELL) $(srcdir)/install-sh + # Libraries + LIBS = @LIBS@ + NET_LIBS = @NET_LIBS@ +-SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ $(LIBS) $(NET_LIBS) ++SUDO_LIBS = @SUDO_LIBS@ @AFS_LIBS@ @GETGROUPS_LIB@ @LIBAUDIT@ $(LIBS) $(NET_LIBS) + + # C preprocessor flags + CPPFLAGS = -I. -I$(srcdir) @CPPFLAGS@ diff --git a/sudo-1.7.2p4-getgrouplist.patch b/sudo-1.7.2p4-getgrouplist.patch new file mode 100644 index 0000000..454b35b --- /dev/null +++ b/sudo-1.7.2p4-getgrouplist.patch @@ -0,0 +1,40 @@ +diff -up sudo-1.7.2p4/check.c.getgrouplist sudo-1.7.2p4/check.c +--- sudo-1.7.2p4/check.c.getgrouplist 2009-05-25 14:02:41.000000000 +0200 ++++ sudo-1.7.2p4/check.c 2010-03-01 11:27:38.000000000 +0100 +@@ -353,6 +353,24 @@ user_is_exempt() + return(TRUE); + } + ++#ifdef HAVE_GETGROUPLIST ++ { ++ gid_t *grouplist, grouptmp; ++ int n_groups, i; ++ n_groups = 1; ++ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) { ++ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1)); ++ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0) ++ for (i = 0; i < n_groups; i++) ++ if (grouplist[i] == grp->gr_gid) { ++ free(grouplist); ++ return(TRUE); ++ } ++ free(grouplist); ++ } ++ } ++#endif ++ + return(FALSE); + } + +diff -up sudo-1.7.2p4/configure.in.getgrouplist sudo-1.7.2p4/configure.in +--- sudo-1.7.2p4/configure.in.getgrouplist 2010-03-01 11:27:38.000000000 +0100 ++++ sudo-1.7.2p4/configure.in 2010-03-01 11:29:45.000000000 +0100 +@@ -1852,7 +1852,7 @@ dnl + AC_FUNC_GETGROUPS + AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \ + strftime setrlimit initgroups getgroups fstat gettimeofday \ +- setlocale getaddrinfo setsid setenv setrlimit64) ++ setlocale getaddrinfo setsid setenv setrlimit64 getgrouplist) + AC_CHECK_FUNCS(unsetenv, SUDO_FUNC_UNSETENV_VOID) + SUDO_FUNC_PUTENV_CONST + if test -z "$SKIP_SETRESUID"; then diff --git a/sudo.spec b/sudo.spec index a3755ca..3bc04e3 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,12 +1,12 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.7.1 -Release: 4%{?dist} +Version: 1.7.2p5 +Release: 1%{?dist} License: BSD Group: Applications/System URL: http://www.courtesan.com/sudo/ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz -Source1: sudo-1.6.8p12-sudoers +Source1: sudo-1.7.2p2-sudoers Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) Requires: /etc/pam.d/system-auth, vim-minimal @@ -23,14 +23,16 @@ BuildRequires: sendmail # don't strip Patch1: sudo-1.6.7p5-strip.patch # use specific PAM session for sudo -i (#198755) -Patch2: sudo-1.7.1-login.patch -# the rest, see changelog -Patch3: sudo-1.7.1-envdebug.patch +Patch2: sudo-1.7.2p1-login.patch +# configure.in fix +Patch3: sudo-1.7.2p1-envdebug.patch Patch4: sudo-1.7.1-libtool.patch -Patch5: sudo-1.7.1-getgrouplist.patch -Patch6: sudo-1.7.1-audit.patch -Patch7: sudo-1.7.1-conffix.patch -Patch8: sudo-1.7.1-auditfix.patch +# getgrouplist() to determine group membership (#235915) +Patch5: sudo-1.7.2p4-getgrouplist.patch +# audit support improvement +Patch6: sudo-1.7.2p1-audit.patch +# audit related Makefile.in and configure.in corrections +Patch7: sudo-1.7.2p2-libaudit.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -51,12 +53,13 @@ on many different machines. %patch4 -p1 -b .libtool %patch5 -p1 -b .getgrouplist %patch6 -p1 -b .audit -%patch7 -p1 -b .conffix -%patch8 -p1 -b .auditfix +%patch7 -p1 -b .libaudit %build -#hande newer autoconf -libtoolize --force && rm acsite.m4 && mv aclocal.m4 acinclude.m4 && autoreconf +# handle newer autoconf +rm acsite.m4 +mv aclocal.m4 acinclude.m4 +autoreconf -fv --install %ifarch s390 s390x sparc64 F_PIE=-fPIE @@ -81,7 +84,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie" --with-ldap \ --with-selinux \ --with-passprompt="[sudo] password for %p: " \ - --with-secure-path="/sbin:/bin:/usr/sbin:/usr/bin" + --with-audit # --without-kerb5 \ # --without-kerb4 make @@ -91,6 +94,7 @@ rm -rf $RPM_BUILD_ROOT make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* install -p -d -m 700 $RPM_BUILD_ROOT/var/run/sudo +install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers mkdir -p $RPM_BUILD_ROOT/etc/pam.d @@ -119,8 +123,9 @@ rm -rf $RPM_BUILD_ROOT %files %defattr(-,root,root) %doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE -%doc *.pod schema.* sudoers2ldif sample.* +%doc sudoers.ldap.pod schema.* sudoers2ldif sample.* %attr(0440,root,root) %config(noreplace) /etc/sudoers +%attr(0750,root,root) %dir /etc/sudoers.d/ %config(noreplace) /etc/pam.d/sudo %config(noreplace) /etc/pam.d/sudo-i %dir /var/run/sudo @@ -139,6 +144,10 @@ rm -rf $RPM_BUILD_ROOT /bin/chmod 0440 /etc/sudoers || : %changelog +* Mon Mar 1 2010 Daniel Kopecek 1.7.2p5-1 +- update to new upstream version +- backport changes from F-12 + * Thu Jul 09 2009 Daniel Kopecek 1.7.1-4 - moved the closefrom() call before audit_help_open() (sudo-1.7.1-auditfix.patch)