[sudo] - update to new upstream version - new command available: sudoreplay - use native audit support - co
Daniel Kopeček
mildew at fedoraproject.org
Tue Sep 7 14:28:28 UTC 2010
commit 520e07da9c0f76146fcbc90b2c5b8954efb9d737
Author: dnk <dnk at dhcp-29-221.brq.redhat.com>
Date: Tue Sep 7 16:28:31 2010 +0200
- update to new upstream version
- new command available: sudoreplay
- use native audit support
- corrected license field value: BSD -> ISC
.gitignore | 2 +
sources | 2 +-
sudo-1.7.4p3-m4path.patch | 17 ++++++++++
sudo-1.7.4p3-sudolist.patch | 67 +++++++++++++++++++++++++++++++++++++++
sudo-1.7.4p4-getgrouplist.patch | 39 ++++++++++++++++++++++
sudo.spec | 45 ++++++++++++++-----------
6 files changed, 151 insertions(+), 21 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 79d1947..caa2d6c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
sudo-1.7.2p6.tar.gz
sudo-1.7.2p2-sudoers
+/sudo-1.7.4p4.tar.gz
+/sudo-1.7.2p2-sudoers
diff --git a/sources b/sources
index e8d3499..e748005 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-c4f1a43e8ba94f6bf06d2211442148c4 sudo-1.7.2p6.tar.gz
+55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz
d657d8d55ecdf88a2d11da73ac5662a4 sudo-1.7.2p2-sudoers
diff --git a/sudo-1.7.4p3-m4path.patch b/sudo-1.7.4p3-m4path.patch
new file mode 100644
index 0000000..b1f8e1b
--- /dev/null
+++ b/sudo-1.7.4p3-m4path.patch
@@ -0,0 +1,17 @@
+diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4
+--- sudo-1.7.4p3/aclocal.m4.m4path 2010-09-07 13:11:59.095198365 +0200
++++ sudo-1.7.4p3/aclocal.m4 2010-09-07 13:12:25.718209211 +0200
+@@ -368,8 +368,8 @@ EOF
+ dnl
+ dnl Pull in libtool macros
+ dnl
+-m4_include([libtool.m4])
+-m4_include([ltoptions.m4])
+-m4_include([ltsugar.m4])
+-m4_include([ltversion.m4])
+-m4_include([lt~obsolete.m4])
++m4_include([m4/libtool.m4])
++m4_include([m4/ltoptions.m4])
++m4_include([m4/ltsugar.m4])
++m4_include([m4/ltversion.m4])
++m4_include([m4/lt~obsolete.m4])
diff --git a/sudo-1.7.4p3-sudolist.patch b/sudo-1.7.4p3-sudolist.patch
new file mode 100644
index 0000000..e75b445
--- /dev/null
+++ b/sudo-1.7.4p3-sudolist.patch
@@ -0,0 +1,67 @@
+diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c
+--- sudo-1.7.4p3/parse.c.orig 2010-09-07 15:00:12.728260953 +0200
++++ sudo-1.7.4p3/parse.c 2010-09-07 15:00:38.950188803 +0200
+@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag)
+
+ /*
+ * Only check the actual command if pwflag is not set.
+- * It is set for the "validate", "list" and "kill" pseudo-commands.
+- * Always check the host and user.
++ * It is set for the "sudovalidate", "sudolist" and "sudokill"
++ * pseudo-commands. Always check the host and user.
+ */
+ if (pwflag) {
+ int nopass;
+diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c
+--- sudo-1.7.4p3/sudo.c.orig 2010-09-07 14:57:08.201198517 +0200
++++ sudo-1.7.4p3/sudo.c 2010-09-07 14:55:47.208260545 +0200
+@@ -232,7 +232,7 @@ main(argc, argv, envp)
+
+ pwflag = 0;
+ if (ISSET(sudo_mode, MODE_SHELL))
+- user_cmnd = "shell";
++ user_cmnd = "sudoshell";
+ else if (ISSET(sudo_mode, MODE_EDIT))
+ user_cmnd = "sudoedit";
+ else {
+@@ -245,12 +245,12 @@ main(argc, argv, envp)
+ break;
+ case MODE_VALIDATE:
+ case MODE_VALIDATE|MODE_INVALIDATE:
+- user_cmnd = "validate";
++ user_cmnd = "sudovalidate";
+ pwflag = I_VERIFYPW;
+ break;
+ case MODE_KILL:
+ case MODE_INVALIDATE:
+- user_cmnd = "kill";
++ user_cmnd = "sudokill";
+ pwflag = -1;
+ break;
+ case MODE_LISTDEFS:
+@@ -259,7 +259,7 @@ main(argc, argv, envp)
+ break;
+ case MODE_LIST:
+ case MODE_LIST|MODE_INVALIDATE:
+- user_cmnd = "list";
++ user_cmnd = "sudolist";
+ pwflag = I_LISTPW;
+ break;
+ case MODE_CHECK:
+@@ -701,13 +701,13 @@ init_vars(envp)
+ set_perms(PERM_ROOT);
+
+ /*
+- * If we were given the '-e', '-i' or '-s' options we need to redo
++ * If we were given the '-e', '-i', '-l' or '-s' options we need to redo
+ * NewArgv and NewArgc.
+ */
+- if (ISSET(sudo_mode, MODE_EDIT)) {
++ if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) {
+ NewArgv--;
+ NewArgc++;
+- NewArgv[0] = "sudoedit";
++ NewArgv[0] = user_cmnd;
+ } else if (ISSET(sudo_mode, MODE_SHELL)) {
+ char **av;
+
diff --git a/sudo-1.7.4p4-getgrouplist.patch b/sudo-1.7.4p4-getgrouplist.patch
new file mode 100644
index 0000000..dd584e7
--- /dev/null
+++ b/sudo-1.7.4p4-getgrouplist.patch
@@ -0,0 +1,39 @@
+diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
+--- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200
++++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200
+@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
+ AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
+ strftime setrlimit initgroups getgroups fstat gettimeofday \
+ regcomp setlocale getaddrinfo setenv vhangup \
+- mbr_check_membership setrlimit64)
++ mbr_check_membership setrlimit64 getgrouplist)
+ AC_CHECK_FUNCS(getline, [], [
+ AC_LIBOBJ(getline)
+ AC_CHECK_FUNCS(fgetln)
+diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
+--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200
++++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200
+@@ -628,5 +628,23 @@ user_in_group(pw, group)
+ }
+ #endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+
++#ifdef HAVE_GETGROUPLIST
++ {
++ gid_t *grouplist, grouptmp;
++ int n_groups, i;
++ n_groups = 1;
++ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
++ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
++ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
++ for (i = 0; i < n_groups; i++)
++ if (grouplist[i] == grp->gr_gid) {
++ free(grouplist);
++ return(TRUE);
++ }
++ free(grouplist);
++ }
++ }
++#endif /* HAVE_GETGROUPLIST */
++
+ return(FALSE);
+ }
diff --git a/sudo.spec b/sudo.spec
index c234515..abb7a27 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,8 +1,8 @@
Summary: Allows restricted root access for specified users
Name: sudo
-Version: 1.7.2p6
-Release: 2%{?dist}
-License: BSD
+Version: 1.7.4p4
+Release: 1%{?dist}
+License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
@@ -22,17 +22,14 @@ BuildRequires: sendmail
# don't strip
Patch1: sudo-1.6.7p5-strip.patch
-# use specific PAM session for sudo -i (#198755)
-Patch2: sudo-1.7.2p1-login.patch
# configure.in fix
-Patch3: sudo-1.7.2p1-envdebug.patch
-Patch4: sudo-1.7.1-libtool.patch
+Patch2: sudo-1.7.2p1-envdebug.patch
+# add m4/ to paths in aclocal.m4
+Patch3: sudo-1.7.4p3-m4path.patch
+# don't emalloc(0)
+Patch4: sudo-1.7.4p3-sudolist.patch
# getgrouplist() to determine group membership (#235915)
-Patch5: sudo-1.7.2p4-getgrouplist.patch
-# audit support improvement
-Patch6: sudo-1.7.2p6-audit.patch
-# insufficient environment sanitization issue (#598154)
-Patch7: sudo-1.7.2p2-envsanitize.patch
+Patch5: sudo-1.7.4p4-getgrouplist.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -47,17 +44,16 @@ on many different machines.
%prep
%setup -q
+
%patch1 -p1 -b .strip
-%patch2 -p1 -b .login
-%patch3 -p1 -b .envdebug
-%patch4 -p1 -b .libtool
+%patch2 -p1 -b .envdebug
+%patch3 -p1 -b .m4path
+%patch4 -p1 -b .sudolist
%patch5 -p1 -b .getgrouplist
-%patch6 -p1 -b .audit
-%patch7 -p1 -b .envsanitize
%build
# handle newer autoconf
-rm acsite.m4
+rm -f acsite.m4
mv aclocal.m4 acinclude.m4
autoreconf -fv --install
@@ -73,6 +69,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--libdir=%{_libdir} \
+ --docdir=%{_datadir}/doc/%{name}-%{version} \
--with-logging=syslog \
--with-logfac=authpriv \
--with-pam \
@@ -84,7 +81,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
--with-ldap \
--with-selinux \
--with-passprompt="[sudo] password for %p: " \
- --with-audit
+ --with-linux-audit
# --without-kerb5 \
# --without-kerb4
make
@@ -122,7 +119,7 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
-%doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
+%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
%doc sudoers.ldap.pod schema.* sudoers2ldif sample.*
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
@@ -131,6 +128,7 @@ rm -rf $RPM_BUILD_ROOT
%dir /var/run/sudo
%attr(4111,root,root) %{_bindir}/sudo
%attr(4111,root,root) %{_bindir}/sudoedit
+%attr(0111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sesh
%{_libexecdir}/sudo_noexec.*
@@ -138,6 +136,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man8/sudo.8*
%{_mandir}/man8/sudoedit.8*
+%{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8*
# Make sure permissions are ok even if we're updating
@@ -145,6 +144,12 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || :
%changelog
+* Tue Sep 7 2010 Daniel Kopecek <dkopecek at redhat.com> - 1.7.4p4-1
+- update to new upstream version
+- new command available: sudoreplay
+- use native audit support
+- corrected license field value: BSD -> ISC
+
* Wed Jun 2 2010 Daniel Kopecek <dkopecek at redhat.com> - 1.7.2p6-2
- added patch that fixes insufficient environment sanitization issue (#598154)
More information about the scm-commits
mailing list