diff --git a/README.md b/README.md index 8c0c6b6..3cc553e 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,5 @@ # sudo +Sudo (superuser do) is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. +The basic philosophy is to give as few privileges as possible but still allow people to get their work done. + diff --git a/sudo-1.6.8p12-badenv_table_more.patch b/sudo-1.6.8p12-badenv_table_more.patch new file mode 100644 index 0000000..880be71 --- /dev/null +++ b/sudo-1.6.8p12-badenv_table_more.patch @@ -0,0 +1,20 @@ +--- sudo-1.6.8p12/env.c 2006-04-05 11:26:20.000000000 +0200 ++++ sudo-1.6.8p12-fix/env.c 2006-04-05 11:32:13.000000000 +0200 +@@ -124,12 +124,17 @@ + "TERMCAP", /* XXX - only if it starts with '/' */ + "ENV", + "BASH_ENV", ++ "GLOBIGNORE", + "PS4", + "SHELLOPTS", + "JAVA_TOOL_OPTIONS", + "PERLLIB", ++ "PERL5DB", + "PERL5LIB", + "PERL5OPT", ++ "PYTHONHOME", ++ "PYTHONPATH", ++ "PYTHONINSPECT", + NULL + }; + diff --git a/sudo-1.6.8p12-can_2006_0151.patch b/sudo-1.6.8p12-can_2006_0151.patch new file mode 100644 index 0000000..624007d --- /dev/null +++ b/sudo-1.6.8p12-can_2006_0151.patch @@ -0,0 +1,41 @@ +--- sudo-1.6.8p12/env.c 2006-02-06 14:23:31.000000000 +0100 ++++ sudo-1.6.8p12-fix/env.c 2006-02-06 14:31:06.000000000 +0100 +@@ -142,6 +142,7 @@ + "LC_*", + "LANG", + "LANGUAGE", ++ "TERM", + NULL + }; + +@@ -440,6 +441,7 @@ + } + + /* Skip anything listed in env_delete. */ ++#if 0 + for (cur = def_env_delete; cur && okvar; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ +@@ -453,9 +455,10 @@ + okvar = 0; + } + } ++#endif + + /* Check certain variables for '%' and '/' characters. */ +- for (cur = def_env_check; cur && okvar; cur = cur->next) { ++ for (cur = def_env_check; cur; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ + if (cur->value[len - 1] == '*') { +@@ -465,8 +468,8 @@ + iswild = 0; + if (strncmp(cur->value, *ep, len) == 0 && + (iswild || (*ep)[len] == '=') && +- strpbrk(*ep, "/%")) { +- okvar = 0; ++ strpbrk(*ep, "/%") == NULL) { ++ okvar = 1; + } + } + diff --git a/sudo-1.6.8p12-sudoers_man.patch b/sudo-1.6.8p12-sudoers_man.patch new file mode 100644 index 0000000..268f954 --- /dev/null +++ b/sudo-1.6.8p12-sudoers_man.patch @@ -0,0 +1,11 @@ +--- sudo-1.6.8p12/sudoers.man.in 2005-11-08 19:22:19.000000000 +0100 ++++ sudo-1.6.8p12-fix/sudoers.man.in 2006-04-05 11:08:00.000000000 +0200 +@@ -759,7 +759,7 @@ + .IP "exempt_group" 12 + .IX Item "exempt_group" + Users in this group are exempt from password and \s-1PATH\s0 requirements. +-This is not set by default. ++On QiLinux systems, this is set to the group 'sysadmin' by default. + .IP "verifypw" 12 + .IX Item "verifypw" + This option controls when a password will be required when a user runs diff --git a/sudo-1.6.8p9-can_2005_2959.patch b/sudo-1.6.8p9-can_2005_2959.patch new file mode 100644 index 0000000..67046f7 --- /dev/null +++ b/sudo-1.6.8p9-can_2005_2959.patch @@ -0,0 +1,11 @@ +--- sudo-1.6.8p9/env.c.orig 2005-10-26 08:53:26.000000000 +0200 ++++ sudo-1.6.8p9/env.c 2005-10-26 08:56:21.000000000 +0200 +@@ -89,6 +89,8 @@ + static const char *initial_badenv_table[] = { + "IFS", + "CDPATH", ++ "SHELLOPTS", ++ "PS4", + "LOCALDOMAIN", + "RES_OPTIONS", + "HOSTALIASES", diff --git a/sudo-1.6.8p9-samples.patch b/sudo-1.6.8p9-samples.patch new file mode 100644 index 0000000..e37a5be --- /dev/null +++ b/sudo-1.6.8p9-samples.patch @@ -0,0 +1,72 @@ +diff -ru sudo-1.6.8p9/ins_classic.h sudo-1.6.8p9-qifix/ins_classic.h +--- sudo-1.6.8p9/ins_classic.h 2004-02-13 21:36:43.000000000 +0000 ++++ sudo-1.6.8p9-qifix/ins_classic.h 2005-09-30 09:22:24.000000000 +0000 +@@ -32,7 +32,7 @@ + "Where did you learn to type?", + "Are you on drugs?", + "My pet ferret can type better than you!", +- "You type like i drive.", ++ "You type like I drive.", + "Do you think like you type?", + "Your mind just hasn't been the same since the electro-shock, has it?", + +diff -ru sudo-1.6.8p9/sample.sudoers sudo-1.6.8p9-qifix/sample.sudoers +--- sudo-1.6.8p9/sample.sudoers 2004-05-17 22:31:35.000000000 +0000 ++++ sudo-1.6.8p9-qifix/sample.sudoers 2005-09-30 09:31:59.000000000 +0000 +@@ -36,15 +36,14 @@ + ## + Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ + /usr/sbin/rrestore, /usr/bin/mt +-Cmnd_Alias KILL = /usr/bin/kill ++Cmnd_Alias KILL = /bin/kill + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +-Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +-Cmnd_Alias HALT = /usr/sbin/halt +-Cmnd_Alias REBOOT = /usr/sbin/reboot +-Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ +- /usr/local/bin/tcsh, /usr/bin/rsh, \ +- /usr/local/bin/zsh +-Cmnd_Alias SU = /usr/bin/su ++Cmnd_Alias SHUTDOWN = /sbin/shutdown ++Cmnd_Alias HALT = /sbin/halt ++Cmnd_Alias REBOOT = /sbin/reboot ++Cmnd_Alias SHELLS = /bin/sh, /bin/sh, /bin/csh, /bin/ksh, /bin/rsh, \ ++ /bin/tcsh, /bin/zsh ++Cmnd_Alias SU = /bin/su + Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn + +@@ -82,7 +81,7 @@ + sudoedit /etc/printcap, /usr/oper/bin/ + + # joe may su only to operator +-joe ALL = /usr/bin/su operator ++joe ALL = /bin/su operator + + # pete may change passwords for anyone but root on the hp snakes + pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root +@@ -96,13 +95,13 @@ + + # users in the secretaries netgroup need to help manage the printers + # as well as add and remove users +-+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser +++secretaries ALL = PRINTING, /usr/sbin/useradd, /usr/sbin/userdel + + # fred can run commands as oracle or sybase without a password + fred ALL = (DB) NOPASSWD: ALL + + # on the alphas, john may su to anyone but root and flags are not allowed +-john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* ++john ALPHA = /usr/bin/su [!-]*, !/bin/su *root* + + # jen can run anything on all machines except the ones + # in the "SERVERS" Host_Alias +@@ -123,7 +122,7 @@ + # users in the WEBMASTERS User_Alias (will, wendy, and wim) + # may run any command as user www (which owns the web pages) + # or simply su to www. +-WEBMASTERS www = (www) ALL, (root) /usr/bin/su www ++WEBMASTERS www = (www) ALL, (root) /bin/su www + + # anyone can mount/unmount a cd-rom on the machines in the CDROM alias + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ diff --git a/sudo-1.7.0-disable_env_reset.patch b/sudo-1.7.0-disable_env_reset.patch new file mode 100644 index 0000000..a434f31 --- /dev/null +++ b/sudo-1.7.0-disable_env_reset.patch @@ -0,0 +1,12 @@ +diff -Nru sudo-1.7.0.orig/defaults.c sudo-1.7.0/defaults.c +--- sudo-1.7.0.orig/defaults.c 2008-11-09 15:13:12.000000000 +0100 ++++ sudo-1.7.0/defaults.c 2009-01-05 05:08:06.000000000 +0100 +@@ -428,7 +428,7 @@ + def_askpass = estrdup(_PATH_SUDO_ASKPASS); + #endif + def_sudoers_locale = estrdup("C"); +- def_env_reset = TRUE; ++ def_env_reset = FALSE; + def_set_logname = TRUE; + def_closefrom = STDERR_FILENO + 1; + diff --git a/sudo-1.8.6p4-qemu_no_geteuid.patch b/sudo-1.8.6p4-qemu_no_geteuid.patch new file mode 100644 index 0000000..7932303 --- /dev/null +++ b/sudo-1.8.6p4-qemu_no_geteuid.patch @@ -0,0 +1,12 @@ +--- sudo-1.8.6p4/src/sudo.c.orig 2013-01-23 14:31:28.959527349 +0100 ++++ sudo-1.8.6p4/src/sudo.c 2013-01-23 14:31:32.840488423 +0100 +@@ -184,9 +184,6 @@ + # endif + #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */ + +- /* Make sure we are setuid root. */ +- sudo_check_suid(argv[0]); +- + /* Reset signal mask, save signal state and make sure fds 0-2 are open. */ + (void) sigemptyset(&mask); + (void) sigprocmask(SIG_SETMASK, &mask, NULL); diff --git a/sudo-pam.conf b/sudo-pam.conf new file mode 100644 index 0000000..bb8e49e --- /dev/null +++ b/sudo-pam.conf @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include system-auth +account include system-auth +password include system-auth +session required pam_limits.so + diff --git a/sudo-sudoers.conf b/sudo-sudoers.conf new file mode 100644 index 0000000..b16aca2 --- /dev/null +++ b/sudo-sudoers.conf @@ -0,0 +1,36 @@ +# sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the sudoers man page for the details on how to write a sudoers file. +# + +# Host alias specification + +# User alias specification + +# Cmnd alias specification +Cmnd_Alias DISTRO_CMD = /usr/bin/apt-get, /usr/bin/rpm, /usr/sbin/synaptic, /usr/bin/apt-cdrom, /opt/kde3/bin/mambapt, /usr/bin/smart +Cmnd_Alias EXTRA_CMD = /usr/bin/updatechecker, /usr/sbin/activate +Cmnd_Alias SYSADM_CMD = /usr/bin/kdesu_stub, /sbin/service, /sbin/chkconfig, \ + /opt/kde3/bin/guarddog +Cmnd_Alias SYSADM_CMD_PASSWD = /sbin/*, /usr/sbin/*, /bin/*, /usr/bin/*, /opt/kde/bin/*, /opt/kde3/bin/* + +# Defaults specification + +# Runas alias specification + +# User privilege specification +root ALL=(ALL) ALL + +# Samples +# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom +# %users localhost=/sbin/shutdown -h now + +%sysadmin ALL = PASSWD: SYSADM_CMD_PASSWD +%packager ALL = NOPASSWD: DISTRO_CMD +%sysadmin ALL = NOPASSWD: DISTRO_CMD +%sysadmin ALL = NOPASSWD: SYSADM_CMD +%sysadmin ALL = NOPASSWD: EXTRA_CMD + +#includedir /etc/sudoers.d diff --git a/sudo.spec b/sudo.spec new file mode 100644 index 0000000..b68258b --- /dev/null +++ b/sudo.spec @@ -0,0 +1,281 @@ +%define sysadmin_groupid 30 +%define sysadmin_name sysadmin + +%define with_exempt 0 + +Name: sudo +Version: 1.8.9p4 +Release: 1mamba +Summary: Allows restricted root access for specified users +Group: System/Tools +Vendor: openmamba +Distribution: openmamba +Packager: Silvan Calarco +URL: http://www.courtesan.com/sudo/ +Source0: http://www.courtesan.com/sudo/dist/%{name}-%{version}.tar.gz +Source1: %{name}-sudoers.conf +Source2: %{name}-pam.conf +Patch2: %{name}-1.6.8p9-samples.patch +Patch3: %{name}-1.6.8p9-can_2005_2959.patch +Patch4: %{name}-1.6.8p12-can_2006_0151.patch +Patch5: %{name}-1.6.8p12-badenv_table_more.patch +Patch6: %{name}-1.6.8p12-sudoers_man.patch +Patch7: %{name}-1.7.0-disable_env_reset.patch +Patch8: %{name}-1.8.6p4-qemu_no_geteuid.patch +License: BSD +## AUTOBUILDREQ-BEGIN +BuildRequires: glibc-devel +BuildRequires: pam-devel +%if "%{stage1}" != "1" +BuildRequires: libopenldap-devel +BuildRequires: vim +%endif +## AUTOBUILDREQ-END +%if "%{stage1}" != "1" +Requires: vim >= 6.3 +%endif +BuildRoot: %{_tmppath}/%{name}-%{version}-root + +%description +Sudo (superuser do) is a program designed to allow a sysadmin to give limited root privileges to users and log root activity. +The basic philosophy is to give as few privileges as possible but still allow people to get their work done. + +%prep +%setup -q +#%patch2 -p1 +#%patch4 -p1 -b .can_2006_0151 +%if %with_exempt +%patch6 -p1 -b .sudoers_man +%endif +#%patch7 -p1 +%patch8 -p1 + +%build +%configure \ + --with-logging=syslog \ + --with-logfac=authpriv \ +%if "%{stage1}" != "1" + --with-ldap \ +%endif + --with-pam \ + --without-rpath \ + --with-tty-tickets \ + --with-editor=%{_bindir}/vi \ + --with-env-editor \ + --with-ignore-dot \ + --with-all-insults \ + --without-lecture \ + --with-secure-path="\ + --with-timedir=/var/db/sudo \ +/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kde/bin:/opt/kde3/bin" \ + --with-fqdn \ +%if %with_exempt + --with-exempt=%{sysadmin_name} \ +%endif + --disable-root-mailer \ + --with-sendmail=/usr/sbin/sendmail \ + --disable-setresuid + +# --disable-envreset +# --with-password-timeout=0 + +%make + +%install +[ "%{buildroot}" != / ] && rm -rf %{buildroot} +%makeinstall \ + install_uid=`id -u` \ + install_gid=`id -g` \ + sudoers_uid=`id -u` \ + sudoers_gid=`id -g` + +rm -f %{buildroot}%{_bindir}/sudoedit +ln -sf sudo %{buildroot}%{_bindir}/sudoedit + +install -D -m0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers +install -D -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sudo + +install -d %{buildroot}%{_var}/log +touch %{buildroot}%{_var}/log/%{name}.log + +install -d -m 700 %{buildroot}/var/run/sudo +install -d -m 510 %{buildroot}%{_sysconfdir}/sudoers.d + +%find_lang %{name} +%find_lang sudoers + +cat sudoers.lang >> %{name}.lang + +%clean +[ "%{buildroot}" != / ] && rm -rf %{buildroot} + +%pre +groupadd sysadmin -g %{sysadmin_groupid} 2>/dev/null || : +exit 0 + +%post +/bin/chmod 0440 %{_sysconfdir}/sudoers || : +grep mambapt %{_sysconfdir}/sudoers >/dev/null || \ + sed -i "s|\(Cmnd_Alias DISTRO_CMD = .*\)|\1, /opt/kde3/bin/mambapt|" %{_sysconfdir}/sudoers +grep "/etc/sudoers\.d" %{_sysconfdir}/sudoers >/dev/null || \ + echo "#includedir /etc/sudoers.d" >> %{_sysconfdir}/sudoers +exit 0 + +%files -f %{name}.lang +%defattr(-,root,root) +%attr(0110,root,root) %{_sysconfdir}/sudoers.d +%attr(0440,root,root) %config %{_sysconfdir}/sudoers +%attr(4111,root,root) %{_bindir}/sudo +%attr(4111,root,root) %{_bindir}/sudoedit +%attr(4111,root,root) %{_bindir}/sudoreplay +%attr(0755,root,root) %{_sbindir}/visudo +%config %{_sysconfdir}/pam.d/sudo +%dir %{_libexecdir}/sudo +%{_libexecdir}/sudo/group_file.so +%{_libexecdir}/sudo/sudo_noexec.so +%{_libexecdir}/sudo/sudoers.so +%{_libexecdir}/sudo/system_group.so +%{_includedir}/sudo_plugin.h +%ghost %{_var}/log/%{name}.log +%dir /var/run/sudo +%attr(0700,root,root) %{_localstatedir}/db/sudo +%dir %{_docdir}/sudo +%{_docdir}/sudo/* +%{_mandir}/man5/sudo.conf.5* +%{_mandir}/man5/sudoers.* +%{_mandir}/man8/sudo.* +%{_mandir}/man8/sudoreplay.* +%{_mandir}/man8/sudoedit.* +%{_mandir}/man8/visudo.* +%{_mandir}/man8/sudo_plugin.8* +%doc ChangeLog README README.LDAP + +%changelog +* Sat Feb 01 2014 Silvan Calarco 1.8.9p4-1mamba +- update to 1.8.9p4 + +* Fri Oct 04 2013 Automatic Build System 1.8.8-1mamba +- automatic update by autodist + +* Mon Jun 17 2013 Automatic Build System 1.8.7-1mamba +- automatic version update by autodist + +* Tue Apr 16 2013 Automatic Build System 1.8.6p8-1mamba +- automatic version update by autodist + +* Fri Mar 01 2013 Automatic Build System 1.8.6p7-1mamba +- automatic version update by autodist + +* Wed Jan 23 2013 Automatic Build System 1.8.6p4-1mamba +- automatic version update by autodist + +* Wed Sep 19 2012 Automatic Build System 1.8.6p3-1mamba +- automatic version update by autodist + +* Sun Jun 26 2011 Automatic Build System 1.8.1p2-1mamba +- automatic update by autodist + +* Wed Feb 02 2011 Automatic Build System 1.7.4p6-1mamba +- automatic update by autodist + +* Tue Jan 11 2011 Silvan Calarco 1.7.4p4-2mamba +- sudoers: change path or rpm from /bin/rpm to /usr/bin/rpm (rpm 5) + +* Wed Nov 10 2010 Automatic Build System 1.7.4p4-1mamba +- automatic update by autodist + +* Fri Sep 03 2010 Silvan Calarco 1.7.4p3-2mamba +- create and own /var/db/sudo + +* Sun Aug 22 2010 Silvan Calarco 1.7.4p3-1mamba +- update to 1.7.4p3 +- added support for /etc/sudoers.d directory + +* Mon Jun 21 2010 Automatic Build System 1.7.2p7-1mamba +- automatic update by autodist + +* Mon Feb 15 2010 Silvan Calarco 1.7.2p2-3mamba +- /opt/kde3/bin/kcmshell removed from /etc/sudoers + +* Wed Jan 06 2010 Silvan Calarco 1.7.2p2-2mamba +- add /usr/bin/smart to sudoers DISTRO_CMD + +* Tue Dec 08 2009 Automatic Build System 1.7.2p2-1mamba +- automatic update by autodist + +* Wed Jul 29 2009 Automatic Build System 1.7.2p1-1mamba +- automatic update by autodist + +* Fri Jul 17 2009 Automatic Build System 1.7.2-1mamba +- automatic update by autodist + +* Sun Apr 19 2009 Automatic Build System 1.7.1-1mamba +- automatic update by autodist + +* Sat Apr 04 2009 Silvan Calarco 1.7.0-1mamba +- automatic update by autodist + +* Sun Feb 01 2009 Silvan Calarco 1.6.9p20-1mamba +- update to 1.6.9p20 +- added support for kde4 binaries path + +* Wed Dec 03 2008 Silvan Calarco 1.6.9p18-1mamba +- automatic update by autodist + +* Thu May 08 2008 Silvan Calarco 1.6.9p15-2mamba +- added kde3 path to secure dirs; removed /usr/X11R6/bin +- added patch that disables default environment reset + +* Mon Mar 31 2008 Silvan Calarco 1.6.9p15-1mamba +- update to 1.6.9p15 +- sudoers: allow execution of all commands in system path to sysadmin group + requiring user password +- removed pam, badenv table and can_2006_0151 patches applied upstream + +* Fri Dec 28 2007 Silvan Calarco 1.6.8p12-13mamba +- removed a message when installing/upgrading + +* Tue Nov 27 2007 Silvan Calarco 1.6.8p12-12mamba +- sudoers: added /opt/kde3/bin/mambapt in DISTRO_CMD +- sudoers: removed obsolete EXTRA_CMD (/usr/bin/updatechecker and /usr/bin/activate) + +* Thu Nov 22 2007 Silvan Calarco 1.6.8p12-11mamba +- fixed pam configuration file + +* Mon Nov 19 2007 Silvan Calarco 1.6.8p12-10mamba +- added guarddog and kcmshell to SYSADM_CMD + +* Tue Jun 27 2006 Massimo Pintore 1.6.8p12-9qilnx +- added EXTRA_CMD alias in sudoers file + +* Fri Apr 21 2006 Silvan Calarco 1.6.8p12-8qilnx +- added /usr/bin/apt-cdrom and /usr/bin/updatechecker in sudoers file + +* Thu Apr 06 2006 Davide Madrisan 1.6.8p12-7qilnx +- option '--with-exempt=%{sysadmin_name}' disabled + +* Wed Apr 05 2006 Davide Madrisan 1.6.8p12-6qilnx +- rebuild with the option '--with-exempt=%{sysadmin_name}' +- removed patch for CAN-2005-2959 (fixed upstream) + +* Tue Feb 14 2006 Silvan Calarco 1.6.8p12-5qilnx +- create and handle sysadmin group + +* Mon Feb 06 2006 Davide Madrisan 1.6.8p12-4qilnx +- new patch for CVE-2006-0151 + +* Wed Jan 25 2006 Silvan Calarco 1.6.8p12-3qilnx +- allow "packager" group users to execute rpm, apt-get and synaptic + +* Mon Jan 23 2006 Davide Madrisan 1.6.8p12-2qilnx +- security update for CVE-2006-0151 (qibug#117) + +* Mon Nov 14 2005 Davide Madrisan 1.6.8p12-1qilnx +- update to version 1.6.8p12 by autospec +- also fixes a security issue in perl scripts (QiLinux bug#69) + +* Wed Oct 26 2005 Davide Madrisan 1.6.8p9-2qilnx +- security fix for CAN-2005-2959 (closes: #55) + +* Fri Sep 30 2005 Davide Madrisan 1.6.8p9-1qilnx +- package created by autospec