[sudo/f12/master] - update to new upstream version - sudo now uses /var/db/sudo for timestamps - new command available
Daniel Kopeček
mildew at fedoraproject.org
Wed Sep 8 09:12:27 UTC 2010
commit 0134e1a84e997d96da83b4c4d7a3a2538330693b
Author: Daniel Kopecek <dkopecek at redhat.com>
Date: Wed Sep 8 11:12:26 2010 +0200
- update to new upstream version
- sudo now uses /var/db/sudo for timestamps
- new command available: sudoreplay
- use native audit support
- corrected license field value: BSD -> ISC
- added env_keep += HOME (see rhbz#614025) for
backwards compatibility
- added Defaults !visiblepw
.gitignore | 2 +
sources | 4 +-
sudo-1.7.1-audit.patch | 389 -------------------------------------
sudo-1.7.1-auditfix.patch | 48 -----
sudo-1.7.1-conffix.patch | 12 --
sudo-1.7.1-envdebug.patch | 12 --
sudo-1.7.1-getgrouplist.patch | 40 ----
sudo-1.7.1-libtool.patch | 12 --
sudo-1.7.1-login.patch | 111 -----------
sudo-1.7.2p1-audit.patch | 400 --------------------------------------
sudo-1.7.2p1-login.patch | 111 -----------
sudo-1.7.2p2-emptyincldir.patch | 38 ----
sudo-1.7.2p2-envsanitize.patch | 83 --------
sudo-1.7.2p2-libaudit.patch | 32 ---
sudo-1.7.2p2-loopsegv3.patch | 33 ----
sudo-1.7.2p4-getgrouplist.patch | 40 ----
sudo-1.7.2p6-audit.patch | 401 ---------------------------------------
sudo-1.7.4p3-m4path.patch | 17 ++
sudo-1.7.4p3-sudolist.patch | 67 +++++++
sudo-1.7.4p4-getgrouplist.patch | 39 ++++
sudo.spec | 55 +++---
21 files changed, 159 insertions(+), 1787 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index 79d1947..e62db8c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,4 @@
sudo-1.7.2p6.tar.gz
sudo-1.7.2p2-sudoers
+/sudo-1.7.4p4.tar.gz
+/sudo-1.7.4p4-sudoers
diff --git a/sources b/sources
index e8d3499..7153aa5 100644
--- a/sources
+++ b/sources
@@ -1,2 +1,2 @@
-c4f1a43e8ba94f6bf06d2211442148c4 sudo-1.7.2p6.tar.gz
-d657d8d55ecdf88a2d11da73ac5662a4 sudo-1.7.2p2-sudoers
+55d9906535d70a1de347cd3d3550ee87 sudo-1.7.4p4.tar.gz
+874abe2dd29da4a8d773c4db8460fa27 sudo-1.7.4p4-sudoers
diff --git a/sudo-1.7.4p3-m4path.patch b/sudo-1.7.4p3-m4path.patch
new file mode 100644
index 0000000..b1f8e1b
--- /dev/null
+++ b/sudo-1.7.4p3-m4path.patch
@@ -0,0 +1,17 @@
+diff -up sudo-1.7.4p3/aclocal.m4.m4path sudo-1.7.4p3/aclocal.m4
+--- sudo-1.7.4p3/aclocal.m4.m4path 2010-09-07 13:11:59.095198365 +0200
++++ sudo-1.7.4p3/aclocal.m4 2010-09-07 13:12:25.718209211 +0200
+@@ -368,8 +368,8 @@ EOF
+ dnl
+ dnl Pull in libtool macros
+ dnl
+-m4_include([libtool.m4])
+-m4_include([ltoptions.m4])
+-m4_include([ltsugar.m4])
+-m4_include([ltversion.m4])
+-m4_include([lt~obsolete.m4])
++m4_include([m4/libtool.m4])
++m4_include([m4/ltoptions.m4])
++m4_include([m4/ltsugar.m4])
++m4_include([m4/ltversion.m4])
++m4_include([m4/lt~obsolete.m4])
diff --git a/sudo-1.7.4p3-sudolist.patch b/sudo-1.7.4p3-sudolist.patch
new file mode 100644
index 0000000..e75b445
--- /dev/null
+++ b/sudo-1.7.4p3-sudolist.patch
@@ -0,0 +1,67 @@
+diff -up sudo-1.7.4p3/parse.c.orig sudo-1.7.4p3/parse.c
+--- sudo-1.7.4p3/parse.c.orig 2010-09-07 15:00:12.728260953 +0200
++++ sudo-1.7.4p3/parse.c 2010-09-07 15:00:38.950188803 +0200
+@@ -158,8 +158,8 @@ sudo_file_lookup(nss, validated, pwflag)
+
+ /*
+ * Only check the actual command if pwflag is not set.
+- * It is set for the "validate", "list" and "kill" pseudo-commands.
+- * Always check the host and user.
++ * It is set for the "sudovalidate", "sudolist" and "sudokill"
++ * pseudo-commands. Always check the host and user.
+ */
+ if (pwflag) {
+ int nopass;
+diff -up sudo-1.7.4p3/sudo.c.orig sudo-1.7.4p3/sudo.c
+--- sudo-1.7.4p3/sudo.c.orig 2010-09-07 14:57:08.201198517 +0200
++++ sudo-1.7.4p3/sudo.c 2010-09-07 14:55:47.208260545 +0200
+@@ -232,7 +232,7 @@ main(argc, argv, envp)
+
+ pwflag = 0;
+ if (ISSET(sudo_mode, MODE_SHELL))
+- user_cmnd = "shell";
++ user_cmnd = "sudoshell";
+ else if (ISSET(sudo_mode, MODE_EDIT))
+ user_cmnd = "sudoedit";
+ else {
+@@ -245,12 +245,12 @@ main(argc, argv, envp)
+ break;
+ case MODE_VALIDATE:
+ case MODE_VALIDATE|MODE_INVALIDATE:
+- user_cmnd = "validate";
++ user_cmnd = "sudovalidate";
+ pwflag = I_VERIFYPW;
+ break;
+ case MODE_KILL:
+ case MODE_INVALIDATE:
+- user_cmnd = "kill";
++ user_cmnd = "sudokill";
+ pwflag = -1;
+ break;
+ case MODE_LISTDEFS:
+@@ -259,7 +259,7 @@ main(argc, argv, envp)
+ break;
+ case MODE_LIST:
+ case MODE_LIST|MODE_INVALIDATE:
+- user_cmnd = "list";
++ user_cmnd = "sudolist";
+ pwflag = I_LISTPW;
+ break;
+ case MODE_CHECK:
+@@ -701,13 +701,13 @@ init_vars(envp)
+ set_perms(PERM_ROOT);
+
+ /*
+- * If we were given the '-e', '-i' or '-s' options we need to redo
++ * If we were given the '-e', '-i', '-l' or '-s' options we need to redo
+ * NewArgv and NewArgc.
+ */
+- if (ISSET(sudo_mode, MODE_EDIT)) {
++ if (ISSET(sudo_mode, MODE_EDIT|MODE_LIST)) {
+ NewArgv--;
+ NewArgc++;
+- NewArgv[0] = "sudoedit";
++ NewArgv[0] = user_cmnd;
+ } else if (ISSET(sudo_mode, MODE_SHELL)) {
+ char **av;
+
diff --git a/sudo-1.7.4p4-getgrouplist.patch b/sudo-1.7.4p4-getgrouplist.patch
new file mode 100644
index 0000000..dd584e7
--- /dev/null
+++ b/sudo-1.7.4p4-getgrouplist.patch
@@ -0,0 +1,39 @@
+diff -up sudo-1.7.4p4/configure.in.getgrouplist sudo-1.7.4p4/configure.in
+--- sudo-1.7.4p4/configure.in.getgrouplist 2010-09-07 15:53:38.400260828 +0200
++++ sudo-1.7.4p4/configure.in 2010-09-07 15:54:48.751188374 +0200
+@@ -1913,7 +1913,7 @@ AC_FUNC_GETGROUPS
+ AC_CHECK_FUNCS(strchr strrchr memchr memcpy memset sysconf tzset \
+ strftime setrlimit initgroups getgroups fstat gettimeofday \
+ regcomp setlocale getaddrinfo setenv vhangup \
+- mbr_check_membership setrlimit64)
++ mbr_check_membership setrlimit64 getgrouplist)
+ AC_CHECK_FUNCS(getline, [], [
+ AC_LIBOBJ(getline)
+ AC_CHECK_FUNCS(fgetln)
+diff -up sudo-1.7.4p4/pwutil.c.getgrouplist sudo-1.7.4p4/pwutil.c
+--- sudo-1.7.4p4/pwutil.c.getgrouplist 2010-09-07 15:53:26.816198477 +0200
++++ sudo-1.7.4p4/pwutil.c 2010-09-07 15:54:16.990188543 +0200
+@@ -628,5 +628,23 @@ user_in_group(pw, group)
+ }
+ #endif /* HAVE_MBR_CHECK_MEMBERSHIP */
+
++#ifdef HAVE_GETGROUPLIST
++ {
++ gid_t *grouplist, grouptmp;
++ int n_groups, i;
++ n_groups = 1;
++ if (getgrouplist(user_name, user_gid, &grouptmp, &n_groups) == -1) {
++ grouplist = (gid_t *) emalloc(sizeof(gid_t) * (n_groups + 1));
++ if (getgrouplist(user_name, user_gid, grouplist, &n_groups) > 0)
++ for (i = 0; i < n_groups; i++)
++ if (grouplist[i] == grp->gr_gid) {
++ free(grouplist);
++ return(TRUE);
++ }
++ free(grouplist);
++ }
++ }
++#endif /* HAVE_GETGROUPLIST */
++
+ return(FALSE);
+ }
diff --git a/sudo.spec b/sudo.spec
index b914a74..7f253be 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,12 +1,12 @@
Summary: Allows restricted root access for specified users
Name: sudo
-Version: 1.7.2p6
-Release: 2%{?dist}
-License: BSD
+Version: 1.7.4p4
+Release: 1%{?dist}
+License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
-Source1: sudo-1.7.2p2-sudoers
+Source1: sudo-1.7.4p4-sudoers
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: /etc/pam.d/system-auth, vim-minimal
@@ -22,17 +22,14 @@ BuildRequires: sendmail
# don't strip
Patch1: sudo-1.6.7p5-strip.patch
-# use specific PAM session for sudo -i (#198755)
-Patch2: sudo-1.7.2p1-login.patch
# configure.in fix
-Patch3: sudo-1.7.2p1-envdebug.patch
-Patch4: sudo-1.7.1-libtool.patch
+Patch2: sudo-1.7.2p1-envdebug.patch
+# add m4/ to paths in aclocal.m4
+Patch3: sudo-1.7.4p3-m4path.patch
+# don't emalloc(0)
+Patch4: sudo-1.7.4p3-sudolist.patch
# getgrouplist() to determine group membership (#235915)
-Patch5: sudo-1.7.2p4-getgrouplist.patch
-# audit support improvement
-Patch6: sudo-1.7.2p6-audit.patch
-# insufficient environment sanitization issue (#598154)
-Patch7: sudo-1.7.2p2-envsanitize.patch
+Patch5: sudo-1.7.4p4-getgrouplist.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -47,17 +44,16 @@ on many different machines.
%prep
%setup -q
+
%patch1 -p1 -b .strip
-%patch2 -p1 -b .login
-%patch3 -p1 -b .envdebug
-%patch4 -p1 -b .libtool
+%patch2 -p1 -b .envdebug
+%patch3 -p1 -b .m4path
+%patch4 -p1 -b .sudolist
%patch5 -p1 -b .getgrouplist
-%patch6 -p1 -b .audit
-%patch7 -p1 -b .envsanitize
%build
# handle newer autoconf
-rm acsite.m4
+rm -f acsite.m4
mv aclocal.m4 acinclude.m4
autoreconf -fv --install
@@ -73,6 +69,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
--prefix=%{_prefix} \
--sbindir=%{_sbindir} \
--libdir=%{_libdir} \
+ --docdir=%{_datadir}/doc/%{name}-%{version} \
--with-logging=syslog \
--with-logfac=authpriv \
--with-pam \
@@ -84,7 +81,7 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie"
--with-ldap \
--with-selinux \
--with-passprompt="[sudo] password for %p: " \
- --with-audit
+ --with-linux-audit
# --without-kerb5 \
# --without-kerb4
make
@@ -93,7 +90,7 @@ make
rm -rf $RPM_BUILD_ROOT
make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`
chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*
-install -p -d -m 700 $RPM_BUILD_ROOT/var/run/sudo
+install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
@@ -122,15 +119,16 @@ rm -rf $RPM_BUILD_ROOT
%files
%defattr(-,root,root)
-%doc ChangeLog WHATSNEW HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
+%doc ChangeLog NEWS HISTORY LICENSE README* TROUBLESHOOTING UPGRADE
%doc sudoers.ldap.pod schema.* sudoers2ldif sample.*
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
%config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i
-%dir /var/run/sudo
+%dir /var/db/sudo
%attr(4111,root,root) %{_bindir}/sudo
%attr(4111,root,root) %{_bindir}/sudoedit
+%attr(0111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sesh
%{_libexecdir}/sudo_noexec.*
@@ -138,6 +136,7 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man8/sudo.8*
%{_mandir}/man8/sudoedit.8*
+%{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8*
# Make sure permissions are ok even if we're updating
@@ -145,6 +144,16 @@ rm -rf $RPM_BUILD_ROOT
/bin/chmod 0440 /etc/sudoers || :
%changelog
+* Wed Sep 8 2010 Daniel Kopecek <dkopecek at redhat.com> - 1.7.4p4-1
+- update to new upstream version
+- sudo now uses /var/db/sudo for timestamps
+- new command available: sudoreplay
+- use native audit support
+- corrected license field value: BSD -> ISC
+- added env_keep += HOME (see rhbz#614025) for
+ backwards compatibility
+- added Defaults !visiblepw
+
* Wed Jun 2 2010 Daniel Kopecek <dkopecek at redhat.com> - 1.7.2p6-2
- added patch that fixes insufficient environment sanitization issue (#598154)
More information about the scm-commits
mailing list