update to 1.8.9p4 [release 1.8.9p4-1mamba;Sat Feb 01 2014]

This commit is contained in:
Silvan Calarco 2024-01-05 18:11:17 +01:00
parent 750f5b12f5
commit 94f467a7b9
11 changed files with 505 additions and 0 deletions

View File

@ -1,2 +1,5 @@
# sudo # sudo
Sudo (superuser do) is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.
The basic philosophy is to give as few privileges as possible but still allow people to get their work done.

View File

@ -0,0 +1,20 @@
--- sudo-1.6.8p12/env.c 2006-04-05 11:26:20.000000000 +0200
+++ sudo-1.6.8p12-fix/env.c 2006-04-05 11:32:13.000000000 +0200
@@ -124,12 +124,17 @@
"TERMCAP", /* XXX - only if it starts with '/' */
"ENV",
"BASH_ENV",
+ "GLOBIGNORE",
"PS4",
"SHELLOPTS",
"JAVA_TOOL_OPTIONS",
"PERLLIB",
+ "PERL5DB",
"PERL5LIB",
"PERL5OPT",
+ "PYTHONHOME",
+ "PYTHONPATH",
+ "PYTHONINSPECT",
NULL
};

View File

@ -0,0 +1,41 @@
--- sudo-1.6.8p12/env.c 2006-02-06 14:23:31.000000000 +0100
+++ sudo-1.6.8p12-fix/env.c 2006-02-06 14:31:06.000000000 +0100
@@ -142,6 +142,7 @@
"LC_*",
"LANG",
"LANGUAGE",
+ "TERM",
NULL
};
@@ -440,6 +441,7 @@
}
/* Skip anything listed in env_delete. */
+#if 0
for (cur = def_env_delete; cur && okvar; cur = cur->next) {
len = strlen(cur->value);
/* Deal with '*' wildcard */
@@ -453,9 +455,10 @@
okvar = 0;
}
}
+#endif
/* Check certain variables for '%' and '/' characters. */
- for (cur = def_env_check; cur && okvar; cur = cur->next) {
+ for (cur = def_env_check; cur; cur = cur->next) {
len = strlen(cur->value);
/* Deal with '*' wildcard */
if (cur->value[len - 1] == '*') {
@@ -465,8 +468,8 @@
iswild = 0;
if (strncmp(cur->value, *ep, len) == 0 &&
(iswild || (*ep)[len] == '=') &&
- strpbrk(*ep, "/%")) {
- okvar = 0;
+ strpbrk(*ep, "/%") == NULL) {
+ okvar = 1;
}
}

View File

@ -0,0 +1,11 @@
--- sudo-1.6.8p12/sudoers.man.in 2005-11-08 19:22:19.000000000 +0100
+++ sudo-1.6.8p12-fix/sudoers.man.in 2006-04-05 11:08:00.000000000 +0200
@@ -759,7 +759,7 @@
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
-This is not set by default.
+On QiLinux systems, this is set to the group 'sysadmin' by default.
.IP "verifypw" 12
.IX Item "verifypw"
This option controls when a password will be required when a user runs

View File

@ -0,0 +1,11 @@
--- sudo-1.6.8p9/env.c.orig 2005-10-26 08:53:26.000000000 +0200
+++ sudo-1.6.8p9/env.c 2005-10-26 08:56:21.000000000 +0200
@@ -89,6 +89,8 @@
static const char *initial_badenv_table[] = {
"IFS",
"CDPATH",
+ "SHELLOPTS",
+ "PS4",
"LOCALDOMAIN",
"RES_OPTIONS",
"HOSTALIASES",

View File

@ -0,0 +1,72 @@
diff -ru sudo-1.6.8p9/ins_classic.h sudo-1.6.8p9-qifix/ins_classic.h
--- sudo-1.6.8p9/ins_classic.h 2004-02-13 21:36:43.000000000 +0000
+++ sudo-1.6.8p9-qifix/ins_classic.h 2005-09-30 09:22:24.000000000 +0000
@@ -32,7 +32,7 @@
"Where did you learn to type?",
"Are you on drugs?",
"My pet ferret can type better than you!",
- "You type like i drive.",
+ "You type like I drive.",
"Do you think like you type?",
"Your mind just hasn't been the same since the electro-shock, has it?",
diff -ru sudo-1.6.8p9/sample.sudoers sudo-1.6.8p9-qifix/sample.sudoers
--- sudo-1.6.8p9/sample.sudoers 2004-05-17 22:31:35.000000000 +0000
+++ sudo-1.6.8p9-qifix/sample.sudoers 2005-09-30 09:31:59.000000000 +0000
@@ -36,15 +36,14 @@
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
/usr/sbin/rrestore, /usr/bin/mt
-Cmnd_Alias KILL = /usr/bin/kill
+Cmnd_Alias KILL = /bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
-Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
-Cmnd_Alias HALT = /usr/sbin/halt
-Cmnd_Alias REBOOT = /usr/sbin/reboot
-Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
- /usr/local/bin/zsh
-Cmnd_Alias SU = /usr/bin/su
+Cmnd_Alias SHUTDOWN = /sbin/shutdown
+Cmnd_Alias HALT = /sbin/halt
+Cmnd_Alias REBOOT = /sbin/reboot
+Cmnd_Alias SHELLS = /bin/sh, /bin/sh, /bin/csh, /bin/ksh, /bin/rsh, \
+ /bin/tcsh, /bin/zsh
+Cmnd_Alias SU = /bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
@@ -82,7 +81,7 @@
sudoedit /etc/printcap, /usr/oper/bin/
# joe may su only to operator
-joe ALL = /usr/bin/su operator
+joe ALL = /bin/su operator
# pete may change passwords for anyone but root on the hp snakes
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
@@ -96,13 +95,13 @@
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
-+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
++secretaries ALL = PRINTING, /usr/sbin/useradd, /usr/sbin/userdel
# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL
# on the alphas, john may su to anyone but root and flags are not allowed
-john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+john ALPHA = /usr/bin/su [!-]*, !/bin/su *root*
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
@@ -123,7 +122,7 @@
# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
-WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+WEBMASTERS www = (www) ALL, (root) /bin/su www
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\

View File

@ -0,0 +1,12 @@
diff -Nru sudo-1.7.0.orig/defaults.c sudo-1.7.0/defaults.c
--- sudo-1.7.0.orig/defaults.c 2008-11-09 15:13:12.000000000 +0100
+++ sudo-1.7.0/defaults.c 2009-01-05 05:08:06.000000000 +0100
@@ -428,7 +428,7 @@
def_askpass = estrdup(_PATH_SUDO_ASKPASS);
#endif
def_sudoers_locale = estrdup("C");
- def_env_reset = TRUE;
+ def_env_reset = FALSE;
def_set_logname = TRUE;
def_closefrom = STDERR_FILENO + 1;

View File

@ -0,0 +1,12 @@
--- sudo-1.8.6p4/src/sudo.c.orig 2013-01-23 14:31:28.959527349 +0100
+++ sudo-1.8.6p4/src/sudo.c 2013-01-23 14:31:32.840488423 +0100
@@ -184,9 +184,6 @@
# endif
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
- /* Make sure we are setuid root. */
- sudo_check_suid(argv[0]);
-
/* Reset signal mask, save signal state and make sure fds 0-2 are open. */
(void) sigemptyset(&mask);
(void) sigprocmask(SIG_SETMASK, &mask, NULL);

6
sudo-pam.conf Normal file
View File

@ -0,0 +1,6 @@
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session required pam_limits.so

36
sudo-sudoers.conf Normal file
View File

@ -0,0 +1,36 @@
# sudoers file.
#
# This file MUST be edited with the 'visudo' command as root.
#
# See the sudoers man page for the details on how to write a sudoers file.
#
# Host alias specification
# User alias specification
# Cmnd alias specification
Cmnd_Alias DISTRO_CMD = /usr/bin/apt-get, /usr/bin/rpm, /usr/sbin/synaptic, /usr/bin/apt-cdrom, /opt/kde3/bin/mambapt, /usr/bin/smart
Cmnd_Alias EXTRA_CMD = /usr/bin/updatechecker, /usr/sbin/activate
Cmnd_Alias SYSADM_CMD = /usr/bin/kdesu_stub, /sbin/service, /sbin/chkconfig, \
/opt/kde3/bin/guarddog
Cmnd_Alias SYSADM_CMD_PASSWD = /sbin/*, /usr/sbin/*, /bin/*, /usr/bin/*, /opt/kde/bin/*, /opt/kde3/bin/*
# Defaults specification
# Runas alias specification
# User privilege specification
root ALL=(ALL) ALL
# Samples
# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users localhost=/sbin/shutdown -h now
%sysadmin ALL = PASSWD: SYSADM_CMD_PASSWD
%packager ALL = NOPASSWD: DISTRO_CMD
%sysadmin ALL = NOPASSWD: DISTRO_CMD
%sysadmin ALL = NOPASSWD: SYSADM_CMD
%sysadmin ALL = NOPASSWD: EXTRA_CMD
#includedir /etc/sudoers.d

281
sudo.spec Normal file
View File

@ -0,0 +1,281 @@
%define sysadmin_groupid 30
%define sysadmin_name sysadmin
%define with_exempt 0
Name: sudo
Version: 1.8.9p4
Release: 1mamba
Summary: Allows restricted root access for specified users
Group: System/Tools
Vendor: openmamba
Distribution: openmamba
Packager: Silvan Calarco <silvan.calarco@mambasoft.it>
URL: http://www.courtesan.com/sudo/
Source0: http://www.courtesan.com/sudo/dist/%{name}-%{version}.tar.gz
Source1: %{name}-sudoers.conf
Source2: %{name}-pam.conf
Patch2: %{name}-1.6.8p9-samples.patch
Patch3: %{name}-1.6.8p9-can_2005_2959.patch
Patch4: %{name}-1.6.8p12-can_2006_0151.patch
Patch5: %{name}-1.6.8p12-badenv_table_more.patch
Patch6: %{name}-1.6.8p12-sudoers_man.patch
Patch7: %{name}-1.7.0-disable_env_reset.patch
Patch8: %{name}-1.8.6p4-qemu_no_geteuid.patch
License: BSD
## AUTOBUILDREQ-BEGIN
BuildRequires: glibc-devel
BuildRequires: pam-devel
%if "%{stage1}" != "1"
BuildRequires: libopenldap-devel
BuildRequires: vim
%endif
## AUTOBUILDREQ-END
%if "%{stage1}" != "1"
Requires: vim >= 6.3
%endif
BuildRoot: %{_tmppath}/%{name}-%{version}-root
%description
Sudo (superuser do) is a program designed to allow a sysadmin to give limited root privileges to users and log root activity.
The basic philosophy is to give as few privileges as possible but still allow people to get their work done.
%prep
%setup -q
#%patch2 -p1
#%patch4 -p1 -b .can_2006_0151
%if %with_exempt
%patch6 -p1 -b .sudoers_man
%endif
#%patch7 -p1
%patch8 -p1
%build
%configure \
--with-logging=syslog \
--with-logfac=authpriv \
%if "%{stage1}" != "1"
--with-ldap \
%endif
--with-pam \
--without-rpath \
--with-tty-tickets \
--with-editor=%{_bindir}/vi \
--with-env-editor \
--with-ignore-dot \
--with-all-insults \
--without-lecture \
--with-secure-path="\
--with-timedir=/var/db/sudo \
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kde/bin:/opt/kde3/bin" \
--with-fqdn \
%if %with_exempt
--with-exempt=%{sysadmin_name} \
%endif
--disable-root-mailer \
--with-sendmail=/usr/sbin/sendmail \
--disable-setresuid
# --disable-envreset
# --with-password-timeout=0
%make
%install
[ "%{buildroot}" != / ] && rm -rf %{buildroot}
%makeinstall \
install_uid=`id -u` \
install_gid=`id -g` \
sudoers_uid=`id -u` \
sudoers_gid=`id -g`
rm -f %{buildroot}%{_bindir}/sudoedit
ln -sf sudo %{buildroot}%{_bindir}/sudoedit
install -D -m0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers
install -D -m0644 %{SOURCE2} %{buildroot}%{_sysconfdir}/pam.d/sudo
install -d %{buildroot}%{_var}/log
touch %{buildroot}%{_var}/log/%{name}.log
install -d -m 700 %{buildroot}/var/run/sudo
install -d -m 510 %{buildroot}%{_sysconfdir}/sudoers.d
%find_lang %{name}
%find_lang sudoers
cat sudoers.lang >> %{name}.lang
%clean
[ "%{buildroot}" != / ] && rm -rf %{buildroot}
%pre
groupadd sysadmin -g %{sysadmin_groupid} 2>/dev/null || :
exit 0
%post
/bin/chmod 0440 %{_sysconfdir}/sudoers || :
grep mambapt %{_sysconfdir}/sudoers >/dev/null || \
sed -i "s|\(Cmnd_Alias DISTRO_CMD = .*\)|\1, /opt/kde3/bin/mambapt|" %{_sysconfdir}/sudoers
grep "/etc/sudoers\.d" %{_sysconfdir}/sudoers >/dev/null || \
echo "#includedir /etc/sudoers.d" >> %{_sysconfdir}/sudoers
exit 0
%files -f %{name}.lang
%defattr(-,root,root)
%attr(0110,root,root) %{_sysconfdir}/sudoers.d
%attr(0440,root,root) %config %{_sysconfdir}/sudoers
%attr(4111,root,root) %{_bindir}/sudo
%attr(4111,root,root) %{_bindir}/sudoedit
%attr(4111,root,root) %{_bindir}/sudoreplay
%attr(0755,root,root) %{_sbindir}/visudo
%config %{_sysconfdir}/pam.d/sudo
%dir %{_libexecdir}/sudo
%{_libexecdir}/sudo/group_file.so
%{_libexecdir}/sudo/sudo_noexec.so
%{_libexecdir}/sudo/sudoers.so
%{_libexecdir}/sudo/system_group.so
%{_includedir}/sudo_plugin.h
%ghost %{_var}/log/%{name}.log
%dir /var/run/sudo
%attr(0700,root,root) %{_localstatedir}/db/sudo
%dir %{_docdir}/sudo
%{_docdir}/sudo/*
%{_mandir}/man5/sudo.conf.5*
%{_mandir}/man5/sudoers.*
%{_mandir}/man8/sudo.*
%{_mandir}/man8/sudoreplay.*
%{_mandir}/man8/sudoedit.*
%{_mandir}/man8/visudo.*
%{_mandir}/man8/sudo_plugin.8*
%doc ChangeLog README README.LDAP
%changelog
* Sat Feb 01 2014 Silvan Calarco <silvan.calarco@mambasoft.it> 1.8.9p4-1mamba
- update to 1.8.9p4
* Fri Oct 04 2013 Automatic Build System <autodist@mambasoft.it> 1.8.8-1mamba
- automatic update by autodist
* Mon Jun 17 2013 Automatic Build System <autodist@mambasoft.it> 1.8.7-1mamba
- automatic version update by autodist
* Tue Apr 16 2013 Automatic Build System <autodist@mambasoft.it> 1.8.6p8-1mamba
- automatic version update by autodist
* Fri Mar 01 2013 Automatic Build System <autodist@mambasoft.it> 1.8.6p7-1mamba
- automatic version update by autodist
* Wed Jan 23 2013 Automatic Build System <autodist@mambasoft.it> 1.8.6p4-1mamba
- automatic version update by autodist
* Wed Sep 19 2012 Automatic Build System <autodist@mambasoft.it> 1.8.6p3-1mamba
- automatic version update by autodist
* Sun Jun 26 2011 Automatic Build System <autodist@mambasoft.it> 1.8.1p2-1mamba
- automatic update by autodist
* Wed Feb 02 2011 Automatic Build System <autodist@mambasoft.it> 1.7.4p6-1mamba
- automatic update by autodist
* Tue Jan 11 2011 Silvan Calarco <silvan.calarco@mambasoft.it> 1.7.4p4-2mamba
- sudoers: change path or rpm from /bin/rpm to /usr/bin/rpm (rpm 5)
* Wed Nov 10 2010 Automatic Build System <autodist@mambasoft.it> 1.7.4p4-1mamba
- automatic update by autodist
* Fri Sep 03 2010 Silvan Calarco <silvan.calarco@mambasoft.it> 1.7.4p3-2mamba
- create and own /var/db/sudo
* Sun Aug 22 2010 Silvan Calarco <silvan.calarco@mambasoft.it> 1.7.4p3-1mamba
- update to 1.7.4p3
- added support for /etc/sudoers.d directory
* Mon Jun 21 2010 Automatic Build System <autodist@mambasoft.it> 1.7.2p7-1mamba
- automatic update by autodist
* Mon Feb 15 2010 Silvan Calarco <silvan.calarco@mambasoft.it> 1.7.2p2-3mamba
- /opt/kde3/bin/kcmshell removed from /etc/sudoers
* Wed Jan 06 2010 Silvan Calarco <silvan.calarco@mambasoft.it> 1.7.2p2-2mamba
- add /usr/bin/smart to sudoers DISTRO_CMD
* Tue Dec 08 2009 Automatic Build System <autodist@mambasoft.it> 1.7.2p2-1mamba
- automatic update by autodist
* Wed Jul 29 2009 Automatic Build System <autodist@mambasoft.it> 1.7.2p1-1mamba
- automatic update by autodist
* Fri Jul 17 2009 Automatic Build System <autodist@mambasoft.it> 1.7.2-1mamba
- automatic update by autodist
* Sun Apr 19 2009 Automatic Build System <autodist@mambasoft.it> 1.7.1-1mamba
- automatic update by autodist
* Sat Apr 04 2009 Silvan Calarco <silvan.calarco@mambasoft.it> 1.7.0-1mamba
- automatic update by autodist
* Sun Feb 01 2009 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.9p20-1mamba
- update to 1.6.9p20
- added support for kde4 binaries path
* Wed Dec 03 2008 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.9p18-1mamba
- automatic update by autodist
* Thu May 08 2008 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.9p15-2mamba
- added kde3 path to secure dirs; removed /usr/X11R6/bin
- added patch that disables default environment reset
* Mon Mar 31 2008 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.9p15-1mamba
- update to 1.6.9p15
- sudoers: allow execution of all commands in system path to sysadmin group
requiring user password
- removed pam, badenv table and can_2006_0151 patches applied upstream
* Fri Dec 28 2007 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.8p12-13mamba
- removed a message when installing/upgrading
* Tue Nov 27 2007 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.8p12-12mamba
- sudoers: added /opt/kde3/bin/mambapt in DISTRO_CMD
- sudoers: removed obsolete EXTRA_CMD (/usr/bin/updatechecker and /usr/bin/activate)
* Thu Nov 22 2007 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.8p12-11mamba
- fixed pam configuration file
* Mon Nov 19 2007 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.8p12-10mamba
- added guarddog and kcmshell to SYSADM_CMD
* Tue Jun 27 2006 Massimo Pintore <massimo.pintore@qilinux.it> 1.6.8p12-9qilnx
- added EXTRA_CMD alias in sudoers file
* Fri Apr 21 2006 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.8p12-8qilnx
- added /usr/bin/apt-cdrom and /usr/bin/updatechecker in sudoers file
* Thu Apr 06 2006 Davide Madrisan <davide.madrisan@qilinux.it> 1.6.8p12-7qilnx
- option '--with-exempt=%{sysadmin_name}' disabled
* Wed Apr 05 2006 Davide Madrisan <davide.madrisan@qilinux.it> 1.6.8p12-6qilnx
- rebuild with the option '--with-exempt=%{sysadmin_name}'
- removed patch for CAN-2005-2959 (fixed upstream)
* Tue Feb 14 2006 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.8p12-5qilnx
- create and handle sysadmin group
* Mon Feb 06 2006 Davide Madrisan <davide.madrisan@qilinux.it> 1.6.8p12-4qilnx
- new patch for CVE-2006-0151
* Wed Jan 25 2006 Silvan Calarco <silvan.calarco@mambasoft.it> 1.6.8p12-3qilnx
- allow "packager" group users to execute rpm, apt-get and synaptic
* Mon Jan 23 2006 Davide Madrisan <davide.madrisan@qilinux.it> 1.6.8p12-2qilnx
- security update for CVE-2006-0151 (qibug#117)
* Mon Nov 14 2005 Davide Madrisan <davide.madrisan@qilinux.it> 1.6.8p12-1qilnx
- update to version 1.6.8p12 by autospec
- also fixes a security issue in perl scripts (QiLinux bug#69)
* Wed Oct 26 2005 Davide Madrisan <davide.madrisan@qilinux.it> 1.6.8p9-2qilnx
- security fix for CAN-2005-2959 (closes: #55)
* Fri Sep 30 2005 Davide Madrisan <davide.madrisan@qilinux.it> 1.6.8p9-1qilnx
- package created by autospec