[sudo] - update to new upstream version - new command available: sudoreplay - use native audit support - co

Daniel Kopeček mildew at fedoraproject.org
Tue Sep 7 14:28:28 UTC 2010 

commit 520e07da9c0f76146fcbc90b2c5b8954efb9d737
Author: dnk <dnk at dhcp-29-221.brq.redhat.com>
Date:   Tue Sep 7 16:28:31 2010 +0200

    - update to new upstream version
    - new command available: sudoreplay
    - use native audit support
    - corrected license field value: BSD -> ISC

 .gitignore                      |    2 +
 sources                         |    2 +-
 sudo-1.7.4p3-m4path.patch       |   17 ++++++++++
 sudo-1.7.4p3-sudolist.patch     |   67 +++++++++++++++++++++++++++++++++++++++
 sudo-1.7.4p4-getgrouplist.patch |   39 ++++++++++++++++++++++
 sudo.spec                       |   45 ++++++++++++++-----------
 6 files changed, 151 insertions(+), 21 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 79d1947..caa2d6c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
 sudo-1.7.2p6.tar.gz
 sudo-1.7.2p2-sudoers
+/sudo-1.7.4p4.tar.gz
+/sudo-1.7.2p2-sudoers
diff --git a/sources b/sources
index e8d3499..e748005 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-c4f1a43e8ba94f6bf06d2211442148c4  sudo-1.7.2p6.tar.gz
+55d9906535d70a1de347cd3d3550ee87  sudo-1.7.4p4.tar.gz
 d657d8d55ecdf88a2d11da73ac5662a4  sudo-1.7.2p2-sudoers
diff --git a/sudo-1.7.4p3-m4path.patch b/sudo-1.7.4p3-m4path.patch
new file mode 100644
index 0000000..b1f8e1b
--- /dev/null
+++ b/sudo-1.7.4p3-m4path.patch
@@ -0,0 +1,17 @@
+diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4
+--- sudo-1.7.4p3/aclocal.m4.m4path	2010-09-07 13:11:59.095198365 +0200
++++ sudo-1.7.4p3/aclocal.m4	2010-09-07 13:12:25.718209211 +0200
+@@ -368,8 +368,8 @@ EOF
+ dnl
+ dnl Pull in libtool macros
+ dnl
+-m4_include([libtool.m4])
+-m4_include([ltoptions.m4])
+-m4_include([ltsugar.m4])
+-m4_include([ltversion.m4])
+-m4_include([lt~obsolete.m4])
++m4_include([m4/libtool.m4])
++m4_include([m4/ltoptions.m4])
++m4_include([m4/ltsugar.m4])
++m4_include([m4/ltversion.m4])
++m4_include([m4/lt~obsolete.m4])
diff --git a/sudo-1.7.4p3-sudolist.patch b/sudo-1.7.4p3-sudolist.patch
new file mode 100644
index 0000000..e75b445
--- /dev/null
+++ b/sudo-1.7.4p3-sudolist.patch
@@ -0,0 +1,67 @@
+diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c
+--- sudo-1.7.4p3/parse.c.orig	2010-09-07 15:00:12.728260953 +0200
++++ sudo-1.7.4p3/parse.c	2010-09-07 15:00:38.950188803 +0200
+@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag)
+ 
+     /*
+      * Only check the actual command if pwflag is not set.
+-     * It is set for the "validate", "list" and "kill" pseudo-commands.
+-     * Always check the host and user.
++     * It is set for the "sudovalidate", "sudolist" and "sudokill"
++     * pseudo-commands. Always check the host and user.
+      */
+     if (pwflag) {
+ 	int nopass;
+diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c
+--- sudo-1.7.4p3/sudo.c.orig	2010-09-07 14:57:08.201198517 +0200
++++ sudo-1.7.4p3/sudo.c	2010-09-07 14:55:47.208260545 +0200
+@@ -232,7 +232,7 @@ main(argc, argv, envp)
+ 
+     pwflag = 0;
+     if (ISSET(sudo_mode, MODE_SHELL))
+-	user_cmnd = "shell";
++	user_cmnd = "sudoshell";
+     else if (ISSET(sudo_mode, MODE_EDIT))
+ 	user_cmnd = "sudoedit";
+     else {
+@@ -245,12 +245,12 @@ main(argc, argv, envp)
+ 		break;
+ 	    case MODE_VALIDATE:
+ 	    case MODE_VALIDATE|MODE_INVALIDATE:
+-		user_cmnd = "validate";
++		user_cmnd = "sudovalidate";
+ 		pwflag = I_VERIFYPW;
+ 		break;
+ 	    case MODE_KILL:
+ 	    case MODE_INVALIDATE:
+-		user_cmnd = "kill";
++		user_cmnd = "sudokill";
+ 		pwflag = -1;
+ 		break;
+ 	    case MODE_LISTDEFS:
+@@ -259,7 +259,7 @@ main(argc, argv, envp)
+ 		break;
+ 	    case MODE_LIST:
+ 	    case MODE_LIST|MODE_INVALIDATE:
+-		user_cmnd = "list";
++		user_cmnd = "sudolist";
+ 		pwflag = I_LISTPW;
+ 		break;
+ 	    case MODE_CHECK:
+@@ -701,13 +701,13 @@ init_vars(envp)
+ 	set_perms(PERM_ROOT);
+ 
+     /*
+-     * If we were given the '-e', '-i' or '-s' options we need to redo
++     * If we were given the '-e', '-i', '-l' or '-s' options we need to redo
+      * NewArgv and NewArgc.
+      */
+-    if (ISSET(sudo_mode, MODE_EDIT)) {
++    if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) {
+ 	NewArgv--;
+ 	NewArgc++;
+-	NewArgv[0] = "sudoedit";
++	NewArgv[0] = user_cmnd;
+     } else if (ISSET(sudo_mode, MODE_SHELL)) {
+ 	char **av;
+ 
diff --git a/sudo-1.7.4p4-getgrouplist.patch b/sudo-1.7.4p4-getgrouplist.patch
new file mode 100644
index 0000000..dd584e7
--- /dev/null
+++ b/sudo-1.7.4p4-getgrouplist.patch
@@ -0,0 +1,39 @@
+diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
+--- sudo-1.7.4p4/configure.in.getgrouplist	2010-09-07 15:53:38.400260828 +0200
++++ sudo-1.7.4p4/configure.in	2010-09-07 15:54:48.751188374 +0200
+@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
+ AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
+ 	       strftime setrlimit initgroups getgroups fstat gettimeofday \
+ 	       regcomp setlocale getaddrinfo setenv vhangup \
+-	       mbr_check_membership setrlimit64)
++	       mbr_check_membership setrlimit64 getgrouplist)
+ AC_CHECK_FUNCS(getline, [], [
+     AC_LIBOBJ(getline)
+     AC_CHECK_FUNCS(fgetln)
+diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
+--- sudo-1.7.4p4/pwutil.c.getgrouplist	2010-09-07 15:53:26.816198477 +0200
++++ sudo-1.7.4p4/pwutil.c	2010-09-07 15:54:16.990188543 +0200
+@@ -628,5 +628,23 @@ user_in_group(pw, group)
+     }
+ #endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+ 
++#ifdef HAVE_GETGROUPLIST
++    {
++	gid_t *grouplist, grouptmp;
++	int n_groups, i;
++	n_groups = 1;
++	if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
++	    grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
++	    if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
++		for (i = 0; i < n_groups; i++)
++		    if (grouplist[i] == grp->gr_gid) {
++			free(grouplist);
++			return(TRUE);
++		    }
++	    free(grouplist);
++	}
++    }
++#endif /* HAVE_GETGROUPLIST */
++
+     return(FALSE);
+ }
diff --git a/sudo.spec b/sudo.spec
index c234515..abb7a27 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,8 +1,8 @@
 Summary: Allows restricted root access for specified users
 Name: sudo
-Version: 1.7.2p6
-Release: 2%{?dist}
-License: BSD
+Version: 1.7.4p4
+Release: 1%{?dist}
+License: ISC
 Group: Applications/System
 URL: http://www.courtesan.com/sudo/
 Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
@@ -22,17 +22,14 @@ BuildRequires: sendmail
 
 # don't strip
 Patch1: sudo-1.6.7p5-strip.patch
-# use specific PAM session for sudo -i (#198755)
-Patch2: sudo-1.7.2p1-login.patch
 # configure.in fix
-Patch3: sudo-1.7.2p1-envdebug.patch
-Patch4: sudo-1.7.1-libtool.patch
+Patch2: sudo-1.7.2p1-envdebug.patch
+# add m4/ to paths in aclocal.m4
+Patch3: sudo-1.7.4p3-m4path.patch
+# don't emalloc(0)
+Patch4: sudo-1.7.4p3-sudolist.patch
 # getgrouplist() to determine group membership (#235915)
-Patch5: sudo-1.7.2p4-getgrouplist.patch
-# audit support improvement
-Patch6: sudo-1.7.2p6-audit.patch
-# insufficient environment sanitization issue (#598154)
-Patch7: sudo-1.7.2p2-envsanitize.patch
+Patch5: sudo-1.7.4p4-getgrouplist.patch
 
 %description
 Sudo (superuser do) allows a system administrator to give certain
@@ -47,17 +44,16 @@ on many different machines.
 
 %prep
 %setup -q
+
 %patch1 -p1 -b .strip
-%patch2 -p1 -b .login
-%patch3 -p1 -b .envdebug
-%patch4 -p1 -b .libtool
+%patch2 -p1 -b .envdebug
+%patch3 -p1 -b .m4path
+%patch4 -p1 -b .sudolist
 %patch5 -p1 -b .getgrouplist
-%patch6 -p1 -b .audit
-%patch7 -p1 -b .envsanitize
 
 %build
 # handle newer autoconf
-rm acsite.m4
+rm -f acsite.m4
 mv aclocal.m4 acinclude.m4
 autoreconf -fv --install
 
@@ -73,6 +69,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
         --prefix=%{_prefix} \
         --sbindir=%{_sbindir} \
         --libdir=%{_libdir} \
+	--docdir=%{_datadir}/doc/%{name}-%{version} \
         --with-logging=syslog \
         --with-logfac=authpriv \
         --with-pam \
@@ -84,7 +81,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
         --with-ldap \
 	--with-selinux \
 	--with-passprompt="[sudo] password for %p: " \
-	--with-audit
+	--with-linux-audit
 #	--without-kerb5 \
 #	--without-kerb4
 make
@@ -122,7 +119,7 @@ rm -rf $RPM_BUILD_ROOT
 
 %files
 %defattr(-,root,root)
-%doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
+%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
 %doc sudoers.ldap.pod schema.* sudoers2ldif sample.*
 %attr(0440,root,root) %config(noreplace) /etc/sudoers
 %attr(0750,root,root) %dir /etc/sudoers.d/
@@ -131,6 +128,7 @@ rm -rf $RPM_BUILD_ROOT
 %dir /var/run/sudo
 %attr(4111,root,root) %{_bindir}/sudo
 %attr(4111,root,root) %{_bindir}/sudoedit
+%attr(0111,root,root) %{_bindir}/sudoreplay
 %attr(0755,root,root) %{_sbindir}/visudo
 %attr(0755,root,root) %{_libexecdir}/sesh
 %{_libexecdir}/sudo_noexec.*
@@ -138,6 +136,7 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man5/sudoers.ldap.5*
 %{_mandir}/man8/sudo.8*
 %{_mandir}/man8/sudoedit.8*
+%{_mandir}/man8/sudoreplay.8*
 %{_mandir}/man8/visudo.8*
 
 # Make sure permissions are ok even if we're updating
@@ -145,6 +144,12 @@ rm -rf $RPM_BUILD_ROOT
 /bin/chmod 0440 /etc/sudoers || :
 
 %changelog
+* Tue Sep  7 2010 Daniel Kopecek <dkopecek at redhat.com> - 1.7.4p4-1
+- update to new upstream version
+- new command available: sudoreplay
+- use native audit support
+- corrected license field value: BSD -> ISC
+
 * Wed Jun  2 2010 Daniel Kopecek <dkopecek at redhat.com> - 1.7.2p6-2
 - added patch that fixes insufficient environment sanitization issue (#598154)

More information about the scm-commits mailing list