[sudo] update to 1.8.11
Daniel Kopeček
mildew at fedoraproject.org
Tue Sep 30 13:45:55 UTC 2014
commit a5f9360d9a834c8995e7ec07feac039ad79e56b7
Author: Daniel Kopecek <dkopecek at redhat.com>
Date: Tue Sep 30 15:45:25 2014 +0200
update to 1.8.11
- major changes & fixes:
- when running a command in the background, sudo will now forward
SIGINFO to the command
- the passwords in ldap.conf and ldap.secret may now be encoded in base64.
- SELinux role changes are now audited. For sudoedit, we now audit
the actual editor being run, instead of just the sudoedit command.
- it is now possible to match an environment variable's value as well as
its name using env_keep and env_check
- new files created via sudoedit as a non-root user now have the proper group id
- sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
- it is now possible to disable network interface probing in sudo.conf by
changing the value of the probe_interfaces setting
- when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
for the user's password even if the targetpw, rootpw or runaspw options are set.
- the new use_netgroups sudoers option can be used to explicitly enable or disable
netgroups support
- visudo can now export a sudoers file in JSON format using the new -x flag
- added patch to read ldap.conf more closely to nss_ldap
- require /usr/bin/vi instead of vim-minimal
- include pam.d/system-auth in PAM session phase from pam.d/sudo
- include pam.d/sudo in PAM session phase from pam.d/sudo-i
sudo-1.8.11b4-ldapconfpatch.patch | 54 +++++++++++++++++++++++++++++++++++++
sudo.spec | 53 ++++++++++++++++++++++++------------
2 files changed, 89 insertions(+), 18 deletions(-)
---
diff --git a/sudo-1.8.11b4-ldapconfpatch.patch b/sudo-1.8.11b4-ldapconfpatch.patch
new file mode 100644
index 0000000..c7e9937
--- /dev/null
+++ b/sudo-1.8.11b4-ldapconfpatch.patch
@@ -0,0 +1,54 @@
+diff -up sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch sudo-1.8.11b4/plugins/sudoers/ldap.c
+--- sudo-1.8.11b4/plugins/sudoers/ldap.c.ldapconfpatch 2014-07-22 22:52:34.000000000 +0200
++++ sudo-1.8.11b4/plugins/sudoers/ldap.c 2014-09-15 11:22:11.122094452 +0200
+@@ -1550,6 +1550,33 @@ sudo_check_krb5_ccname(const char *ccnam
+ }
+ #endif /* HAVE_LDAP_SASL_INTERACTIVE_BIND_S */
+
++/*
++ * Read a line of input, remove whole line comments and strip off leading
++ * and trailing spaces. Returns static storage that is reused.
++ */
++static char *
++sudo_ldap_parseln(fp)
++ FILE *fp;
++{
++ size_t len;
++ char *cp = NULL;
++ static char buf[LINE_MAX];
++
++ if (fgets(buf, sizeof(buf), fp) != NULL) {
++ /* Remove comments */
++ if (*buf == '#')
++ *buf = '\0';
++
++ /* Trim leading and trailing whitespace/newline */
++ len = strlen(buf);
++ while (len > 0 && isspace((unsigned char)buf[len - 1]))
++ buf[--len] = '\0';
++ for (cp = buf; isblank(*cp); cp++)
++ continue;
++ }
++ return(cp);
++}
++
+ static bool
+ sudo_ldap_read_config(void)
+ {
+@@ -1575,7 +1602,7 @@ sudo_ldap_read_config(void)
+ if ((fp = fopen(path_ldap_conf, "r")) == NULL)
+ debug_return_bool(false);
+
+- while (sudo_parseln(&line, &linesize, NULL, fp) != -1) {
++ while ((line = sudo_ldap_parseln(fp)) != NULL) {
+ if (*line == '\0')
+ continue; /* skip empty line */
+
+@@ -1595,7 +1622,6 @@ sudo_ldap_read_config(void)
+ if (!sudo_ldap_parse_keyword(keyword, value, ldap_conf_global))
+ sudo_ldap_parse_keyword(keyword, value, ldap_conf_conn);
+ }
+- free(line);
+ fclose(fp);
+
+ if (!ldap_conf.host)
diff --git a/sudo.spec b/sudo.spec
index 132e1f2..2da6fe3 100644
--- a/sudo.spec
+++ b/sudo.spec
@@ -1,14 +1,15 @@
Summary: Allows restricted root access for specified users
Name: sudo
-Version: 1.8.8
-Release: 7%{?dist}
+Version: 1.8.11
+Release: 1%{?dist}
License: ISC
Group: Applications/System
URL: http://www.courtesan.com/sudo/
Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz
Source1: sudo-1.8.8-sudoers
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-Requires: /etc/pam.d/system-auth, vim-minimal
+Requires: /etc/pam.d/system-auth
+Requires: /usr/bin/vi
Requires(post): /bin/chmod
BuildRequires: pam-devel
@@ -25,14 +26,8 @@ BuildRequires: zlib-devel
# don't strip
Patch1: sudo-1.6.7p5-strip.patch
-# configure.in fix
-Patch2: sudo-1.7.2p1-envdebug.patch
-# Fix several issues in the sssd code
-Patch3: sudo-1.8.8-sssdfixes.patch
-# Don't accept invalid number in uid/gid specifications
-Patch4: sudo-1.8.8-strictuidgid.patch
-# Fix several issues found by the clang static analyzer
-Patch5: sudo-1.8.8-clangbugs.patch
+# Patch to read ldap.conf more closely to nss_ldap
+Patch2: sudo-1.8.11b4-ldapconfpatch.patch
%description
Sudo (superuser do) allows a system administrator to give certain
@@ -58,10 +53,7 @@ plugins that use %{name}.
%setup -q
%patch1 -p1 -b .strip
-%patch2 -p1 -b .envdebug
-%patch3 -p1 -b .sssdfixes
-%patch4 -p1 -b .strictuidgid
-%patch5 -p1 -b .clangbugs
+%patch2 -p1 -b .ldapconfpatch
%build
# Remove bundled copy of zlib
@@ -129,6 +121,7 @@ account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
+session include system-auth
EOF
cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF
@@ -137,7 +130,7 @@ auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
-session required pam_limits.so
+session include sudo
EOF
@@ -161,6 +154,7 @@ rm -rf $RPM_BUILD_ROOT
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so.*
%{_mandir}/man5/sudoers.5*
%{_mandir}/man5/sudoers.ldap.5*
%{_mandir}/man5/sudo.conf.5*
@@ -184,10 +178,33 @@ rm -rf $RPM_BUILD_ROOT
%doc plugins/sample/sample_plugin.c
%{_includedir}/sudo_plugin.h
%{_mandir}/man8/sudo_plugin.8*
+%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so
+%attr(0644,root,root) %{_libexecdir}/sudo/*.la
%changelog
-* Mon Aug 18 2014 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 1.8.8-7
-- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild
+* Tue Sep 30 2014 Daniel Kopecek <dkopecek at redhat.com> - 1.8.11-1
+- update to 1.8.11
+- major changes & fixes:
+ - when running a command in the background, sudo will now forward
+ SIGINFO to the command
+ - the passwords in ldap.conf and ldap.secret may now be encoded in base64.
+ - SELinux role changes are now audited. For sudoedit, we now audit
+ the actual editor being run, instead of just the sudoedit command.
+ - it is now possible to match an environment variable's value as well as
+ its name using env_keep and env_check
+ - new files created via sudoedit as a non-root user now have the proper group id
+ - sudoedit now works correctly in conjunction with sudo's SELinux RBAC support
+ - it is now possible to disable network interface probing in sudo.conf by
+ changing the value of the probe_interfaces setting
+ - when listing a user's privileges (sudo -l), the sudoers plugin will now prompt
+ for the user's password even if the targetpw, rootpw or runaspw options are set.
+ - the new use_netgroups sudoers option can be used to explicitly enable or disable
+ netgroups support
+ - visudo can now export a sudoers file in JSON format using the new -x flag
+- added patch to read ldap.conf more closely to nss_ldap
+- require /usr/bin/vi instead of vim-minimal
+- include pam.d/system-auth in PAM session phase from pam.d/sudo
+- include pam.d/sudo in PAM session phase from pam.d/sudo-i
* Tue Aug 5 2014 Tom Callaway <spot at fedoraproject.org> - 1.8.8-6
- fix license handling
More information about the scm-commits
mailing list