From a05f3a53e4c08f8a1d97f0278649e3af3d55776f Mon Sep 17 00:00:00 2001 From: Silvan Calarco Date: Thu, 11 Apr 2024 22:42:45 +0200 Subject: [PATCH] sudo-pam.conf: remove required pam_limits.so and use system defaults for session (fixes running in docker container) configure cleanups and improvements [release 1.9.15p5-2mamba;Sun Apr 07 2024] --- sudo-1.6.8p12-badenv_table_more.patch | 20 -------- sudo-1.6.8p12-can_2006_0151.patch | 41 --------------- sudo-1.6.8p12-sudoers_man.patch | 11 ---- sudo-1.6.8p9-can_2005_2959.patch | 11 ---- sudo-1.6.8p9-samples.patch | 72 --------------------------- sudo-1.7.0-disable_env_reset.patch | 12 ----- sudo-1.8.6p4-qemu_no_geteuid.patch | 12 ----- sudo-pam.conf | 3 +- sudo.spec | 36 ++++---------- 9 files changed, 10 insertions(+), 208 deletions(-) delete mode 100644 sudo-1.6.8p12-badenv_table_more.patch delete mode 100644 sudo-1.6.8p12-can_2006_0151.patch delete mode 100644 sudo-1.6.8p12-sudoers_man.patch delete mode 100644 sudo-1.6.8p9-can_2005_2959.patch delete mode 100644 sudo-1.6.8p9-samples.patch delete mode 100644 sudo-1.7.0-disable_env_reset.patch delete mode 100644 sudo-1.8.6p4-qemu_no_geteuid.patch diff --git a/sudo-1.6.8p12-badenv_table_more.patch b/sudo-1.6.8p12-badenv_table_more.patch deleted file mode 100644 index 880be71..0000000 --- a/sudo-1.6.8p12-badenv_table_more.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- sudo-1.6.8p12/env.c 2006-04-05 11:26:20.000000000 +0200 -+++ sudo-1.6.8p12-fix/env.c 2006-04-05 11:32:13.000000000 +0200 -@@ -124,12 +124,17 @@ - "TERMCAP", /* XXX - only if it starts with '/' */ - "ENV", - "BASH_ENV", -+ "GLOBIGNORE", - "PS4", - "SHELLOPTS", - "JAVA_TOOL_OPTIONS", - "PERLLIB", -+ "PERL5DB", - "PERL5LIB", - "PERL5OPT", -+ "PYTHONHOME", -+ "PYTHONPATH", -+ "PYTHONINSPECT", - NULL - }; - diff --git a/sudo-1.6.8p12-can_2006_0151.patch b/sudo-1.6.8p12-can_2006_0151.patch deleted file mode 100644 index 624007d..0000000 --- a/sudo-1.6.8p12-can_2006_0151.patch +++ /dev/null @@ -1,41 +0,0 @@ ---- sudo-1.6.8p12/env.c 2006-02-06 14:23:31.000000000 +0100 -+++ sudo-1.6.8p12-fix/env.c 2006-02-06 14:31:06.000000000 +0100 -@@ -142,6 +142,7 @@ - "LC_*", - "LANG", - "LANGUAGE", -+ "TERM", - NULL - }; - -@@ -440,6 +441,7 @@ - } - - /* Skip anything listed in env_delete. */ -+#if 0 - for (cur = def_env_delete; cur && okvar; cur = cur->next) { - len = strlen(cur->value); - /* Deal with '*' wildcard */ -@@ -453,9 +455,10 @@ - okvar = 0; - } - } -+#endif - - /* Check certain variables for '%' and '/' characters. */ -- for (cur = def_env_check; cur && okvar; cur = cur->next) { -+ for (cur = def_env_check; cur; cur = cur->next) { - len = strlen(cur->value); - /* Deal with '*' wildcard */ - if (cur->value[len - 1] == '*') { -@@ -465,8 +468,8 @@ - iswild = 0; - if (strncmp(cur->value, *ep, len) == 0 && - (iswild || (*ep)[len] == '=') && -- strpbrk(*ep, "/%")) { -- okvar = 0; -+ strpbrk(*ep, "/%") == NULL) { -+ okvar = 1; - } - } - diff --git a/sudo-1.6.8p12-sudoers_man.patch b/sudo-1.6.8p12-sudoers_man.patch deleted file mode 100644 index 268f954..0000000 --- a/sudo-1.6.8p12-sudoers_man.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- sudo-1.6.8p12/sudoers.man.in 2005-11-08 19:22:19.000000000 +0100 -+++ sudo-1.6.8p12-fix/sudoers.man.in 2006-04-05 11:08:00.000000000 +0200 -@@ -759,7 +759,7 @@ - .IP "exempt_group" 12 - .IX Item "exempt_group" - Users in this group are exempt from password and \s-1PATH\s0 requirements. --This is not set by default. -+On QiLinux systems, this is set to the group 'sysadmin' by default. - .IP "verifypw" 12 - .IX Item "verifypw" - This option controls when a password will be required when a user runs diff --git a/sudo-1.6.8p9-can_2005_2959.patch b/sudo-1.6.8p9-can_2005_2959.patch deleted file mode 100644 index 67046f7..0000000 --- a/sudo-1.6.8p9-can_2005_2959.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- sudo-1.6.8p9/env.c.orig 2005-10-26 08:53:26.000000000 +0200 -+++ sudo-1.6.8p9/env.c 2005-10-26 08:56:21.000000000 +0200 -@@ -89,6 +89,8 @@ - static const char *initial_badenv_table[] = { - "IFS", - "CDPATH", -+ "SHELLOPTS", -+ "PS4", - "LOCALDOMAIN", - "RES_OPTIONS", - "HOSTALIASES", diff --git a/sudo-1.6.8p9-samples.patch b/sudo-1.6.8p9-samples.patch deleted file mode 100644 index e37a5be..0000000 --- a/sudo-1.6.8p9-samples.patch +++ /dev/null @@ -1,72 +0,0 @@ -diff -ru sudo-1.6.8p9/ins_classic.h sudo-1.6.8p9-qifix/ins_classic.h ---- sudo-1.6.8p9/ins_classic.h 2004-02-13 21:36:43.000000000 +0000 -+++ sudo-1.6.8p9-qifix/ins_classic.h 2005-09-30 09:22:24.000000000 +0000 -@@ -32,7 +32,7 @@ - "Where did you learn to type?", - "Are you on drugs?", - "My pet ferret can type better than you!", -- "You type like i drive.", -+ "You type like I drive.", - "Do you think like you type?", - "Your mind just hasn't been the same since the electro-shock, has it?", - -diff -ru sudo-1.6.8p9/sample.sudoers sudo-1.6.8p9-qifix/sample.sudoers ---- sudo-1.6.8p9/sample.sudoers 2004-05-17 22:31:35.000000000 +0000 -+++ sudo-1.6.8p9-qifix/sample.sudoers 2005-09-30 09:31:59.000000000 +0000 -@@ -36,15 +36,14 @@ - ## - Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ - /usr/sbin/rrestore, /usr/bin/mt --Cmnd_Alias KILL = /usr/bin/kill -+Cmnd_Alias KILL = /bin/kill - Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm --Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown --Cmnd_Alias HALT = /usr/sbin/halt --Cmnd_Alias REBOOT = /usr/sbin/reboot --Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ -- /usr/local/bin/tcsh, /usr/bin/rsh, \ -- /usr/local/bin/zsh --Cmnd_Alias SU = /usr/bin/su -+Cmnd_Alias SHUTDOWN = /sbin/shutdown -+Cmnd_Alias HALT = /sbin/halt -+Cmnd_Alias REBOOT = /sbin/reboot -+Cmnd_Alias SHELLS = /bin/sh, /bin/sh, /bin/csh, /bin/ksh, /bin/rsh, \ -+ /bin/tcsh, /bin/zsh -+Cmnd_Alias SU = /bin/su - Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ - /usr/bin/chfn - -@@ -82,7 +81,7 @@ - sudoedit /etc/printcap, /usr/oper/bin/ - - # joe may su only to operator --joe ALL = /usr/bin/su operator -+joe ALL = /bin/su operator - - # pete may change passwords for anyone but root on the hp snakes - pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root -@@ -96,13 +95,13 @@ - - # users in the secretaries netgroup need to help manage the printers - # as well as add and remove users --+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser -++secretaries ALL = PRINTING, /usr/sbin/useradd, /usr/sbin/userdel - - # fred can run commands as oracle or sybase without a password - fred ALL = (DB) NOPASSWD: ALL - - # on the alphas, john may su to anyone but root and flags are not allowed --john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* -+john ALPHA = /usr/bin/su [!-]*, !/bin/su *root* - - # jen can run anything on all machines except the ones - # in the "SERVERS" Host_Alias -@@ -123,7 +122,7 @@ - # users in the WEBMASTERS User_Alias (will, wendy, and wim) - # may run any command as user www (which owns the web pages) - # or simply su to www. --WEBMASTERS www = (www) ALL, (root) /usr/bin/su www -+WEBMASTERS www = (www) ALL, (root) /bin/su www - - # anyone can mount/unmount a cd-rom on the machines in the CDROM alias - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ diff --git a/sudo-1.7.0-disable_env_reset.patch b/sudo-1.7.0-disable_env_reset.patch deleted file mode 100644 index a434f31..0000000 --- a/sudo-1.7.0-disable_env_reset.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -Nru sudo-1.7.0.orig/defaults.c sudo-1.7.0/defaults.c ---- sudo-1.7.0.orig/defaults.c 2008-11-09 15:13:12.000000000 +0100 -+++ sudo-1.7.0/defaults.c 2009-01-05 05:08:06.000000000 +0100 -@@ -428,7 +428,7 @@ - def_askpass = estrdup(_PATH_SUDO_ASKPASS); - #endif - def_sudoers_locale = estrdup("C"); -- def_env_reset = TRUE; -+ def_env_reset = FALSE; - def_set_logname = TRUE; - def_closefrom = STDERR_FILENO + 1; - diff --git a/sudo-1.8.6p4-qemu_no_geteuid.patch b/sudo-1.8.6p4-qemu_no_geteuid.patch deleted file mode 100644 index 7932303..0000000 --- a/sudo-1.8.6p4-qemu_no_geteuid.patch +++ /dev/null @@ -1,12 +0,0 @@ ---- sudo-1.8.6p4/src/sudo.c.orig 2013-01-23 14:31:28.959527349 +0100 -+++ sudo-1.8.6p4/src/sudo.c 2013-01-23 14:31:32.840488423 +0100 -@@ -184,9 +184,6 @@ - # endif - #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */ - -- /* Make sure we are setuid root. */ -- sudo_check_suid(argv[0]); -- - /* Reset signal mask, save signal state and make sure fds 0-2 are open. */ - (void) sigemptyset(&mask); - (void) sigprocmask(SIG_SETMASK, &mask, NULL); diff --git a/sudo-pam.conf b/sudo-pam.conf index bb8e49e..fcb7a46 100644 --- a/sudo-pam.conf +++ b/sudo-pam.conf @@ -2,5 +2,4 @@ auth include system-auth account include system-auth password include system-auth -session required pam_limits.so - +session include system-auth diff --git a/sudo.spec b/sudo.spec index 0bd52f9..d3bf584 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,11 +1,9 @@ %define sysadmin_groupid 30 %define sysadmin_name sysadmin -%define with_exempt 0 - Name: sudo Version: 1.9.15p5 -Release: 1mamba +Release: 2mamba Summary: Allows restricted root access for specified users Group: System/Tools Vendor: openmamba @@ -15,13 +13,6 @@ URL: https://www.sudo.ws/sudo/ Source0: https://www.sudo.ws/dist/sudo-%{version}.tar.gz Source1: %{name}-sudoers.conf Source2: %{name}-pam.conf -Patch2: %{name}-1.6.8p9-samples.patch -Patch3: %{name}-1.6.8p9-can_2005_2959.patch -Patch4: %{name}-1.6.8p12-can_2006_0151.patch -Patch5: %{name}-1.6.8p12-badenv_table_more.patch -Patch6: %{name}-1.6.8p12-sudoers_man.patch -Patch7: %{name}-1.7.0-disable_env_reset.patch -Patch8: %{name}-1.8.6p4-qemu_no_geteuid.patch License: BSD ## AUTOBUILDREQ-BEGIN BuildRequires: glibc-devel @@ -47,13 +38,6 @@ The basic philosophy is to give as few privileges as possible but still allow pe %prep %setup -q -#%patch2 -p1 -#%patch4 -p1 -b .can_2006_0151 -%if %with_exempt -%patch 6 -p1 -b .sudoers_man -%endif -#%patch7 -p1 -#%patch8 -p1 %build %configure \ @@ -62,6 +46,8 @@ The basic philosophy is to give as few privileges as possible but still allow pe %if "%{stage1}" != "1" --with-ldap \ %endif + --with-logfac=auth \ + --enable-tmpfiles.d \ --with-pam \ --without-rpath \ --with-tty-tickets \ @@ -70,20 +56,14 @@ The basic philosophy is to give as few privileges as possible but still allow pe --with-ignore-dot \ --with-all-insults \ --without-lecture \ - --with-secure-path="\ -/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kde/bin:/opt/kde3/bin" \ --with-fqdn \ + --with-passprompt="[sudo] password for %p: " \ --with-rundir=/run/sudo \ -%if %with_exempt - --with-exempt=%{sysadmin_name} \ -%endif + --with-all-insults \ --disable-root-mailer \ --with-sendmail=/usr/sbin/sendmail \ --disable-setresuid -# --disable-envreset -# --with-password-timeout=0 - %make %install @@ -148,7 +128,6 @@ exit 0 %{_libexecdir}/sudo/group_file.so %{_libexecdir}/sudo/libsudo_util.so %{_libexecdir}/sudo/libsudo_util.so.* -#%{_libexecdir}/sudo/sample_approval.so %{_libexecdir}/sudo/sudo_intercept.so %{_libexecdir}/sudo/sudo_noexec.so %{_libexecdir}/sudo/sudoers.so @@ -172,9 +151,12 @@ exit 0 %{_mandir}/man8/sudo_sendlog.8* %{_mandir}/man8/visudo.* %doc LICENSE.md -#%doc ChangeLog README README.LDAP %changelog +* Sun Apr 07 2024 Silvan Calarco 1.9.15p5-2mamba +- sudo-pam.conf: remove required pam_limits.so and use system defaults for session (fixes running in docker container) +- configure cleanups and improvements + * Mon Feb 12 2024 Automatic Build System 1.9.15p5-1mamba - automatic update by autodist