sudo-pam.conf: remove required pam_limits.so and use system defaults for session (fixes running in docker container)

configure cleanups and improvements [release 1.9.15p5-2mamba;Sun Apr 07 2024]
This commit is contained in:
Silvan Calarco 2024-04-11 22:42:45 +02:00
parent 0d498dd8de
commit a05f3a53e4
9 changed files with 10 additions and 208 deletions

View File

@ -1,20 +0,0 @@
--- sudo-1.6.8p12/env.c 2006-04-05 11:26:20.000000000 +0200
+++ sudo-1.6.8p12-fix/env.c 2006-04-05 11:32:13.000000000 +0200
@@ -124,12 +124,17 @@
"TERMCAP", /* XXX - only if it starts with '/' */
"ENV",
"BASH_ENV",
+ "GLOBIGNORE",
"PS4",
"SHELLOPTS",
"JAVA_TOOL_OPTIONS",
"PERLLIB",
+ "PERL5DB",
"PERL5LIB",
"PERL5OPT",
+ "PYTHONHOME",
+ "PYTHONPATH",
+ "PYTHONINSPECT",
NULL
};

View File

@ -1,41 +0,0 @@
--- sudo-1.6.8p12/env.c 2006-02-06 14:23:31.000000000 +0100
+++ sudo-1.6.8p12-fix/env.c 2006-02-06 14:31:06.000000000 +0100
@@ -142,6 +142,7 @@
"LC_*",
"LANG",
"LANGUAGE",
+ "TERM",
NULL
};
@@ -440,6 +441,7 @@
}
/* Skip anything listed in env_delete. */
+#if 0
for (cur = def_env_delete; cur && okvar; cur = cur->next) {
len = strlen(cur->value);
/* Deal with '*' wildcard */
@@ -453,9 +455,10 @@
okvar = 0;
}
}
+#endif
/* Check certain variables for '%' and '/' characters. */
- for (cur = def_env_check; cur && okvar; cur = cur->next) {
+ for (cur = def_env_check; cur; cur = cur->next) {
len = strlen(cur->value);
/* Deal with '*' wildcard */
if (cur->value[len - 1] == '*') {
@@ -465,8 +468,8 @@
iswild = 0;
if (strncmp(cur->value, *ep, len) == 0 &&
(iswild || (*ep)[len] == '=') &&
- strpbrk(*ep, "/%")) {
- okvar = 0;
+ strpbrk(*ep, "/%") == NULL) {
+ okvar = 1;
}
}

View File

@ -1,11 +0,0 @@
--- sudo-1.6.8p12/sudoers.man.in 2005-11-08 19:22:19.000000000 +0100
+++ sudo-1.6.8p12-fix/sudoers.man.in 2006-04-05 11:08:00.000000000 +0200
@@ -759,7 +759,7 @@
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
-This is not set by default.
+On QiLinux systems, this is set to the group 'sysadmin' by default.
.IP "verifypw" 12
.IX Item "verifypw"
This option controls when a password will be required when a user runs

View File

@ -1,11 +0,0 @@
--- sudo-1.6.8p9/env.c.orig 2005-10-26 08:53:26.000000000 +0200
+++ sudo-1.6.8p9/env.c 2005-10-26 08:56:21.000000000 +0200
@@ -89,6 +89,8 @@
static const char *initial_badenv_table[] = {
"IFS",
"CDPATH",
+ "SHELLOPTS",
+ "PS4",
"LOCALDOMAIN",
"RES_OPTIONS",
"HOSTALIASES",

View File

@ -1,72 +0,0 @@
diff -ru sudo-1.6.8p9/ins_classic.h sudo-1.6.8p9-qifix/ins_classic.h
--- sudo-1.6.8p9/ins_classic.h 2004-02-13 21:36:43.000000000 +0000
+++ sudo-1.6.8p9-qifix/ins_classic.h 2005-09-30 09:22:24.000000000 +0000
@@ -32,7 +32,7 @@
"Where did you learn to type?",
"Are you on drugs?",
"My pet ferret can type better than you!",
- "You type like i drive.",
+ "You type like I drive.",
"Do you think like you type?",
"Your mind just hasn't been the same since the electro-shock, has it?",
diff -ru sudo-1.6.8p9/sample.sudoers sudo-1.6.8p9-qifix/sample.sudoers
--- sudo-1.6.8p9/sample.sudoers 2004-05-17 22:31:35.000000000 +0000
+++ sudo-1.6.8p9-qifix/sample.sudoers 2005-09-30 09:31:59.000000000 +0000
@@ -36,15 +36,14 @@
##
Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
/usr/sbin/rrestore, /usr/bin/mt
-Cmnd_Alias KILL = /usr/bin/kill
+Cmnd_Alias KILL = /bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
-Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
-Cmnd_Alias HALT = /usr/sbin/halt
-Cmnd_Alias REBOOT = /usr/sbin/reboot
-Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
- /usr/local/bin/zsh
-Cmnd_Alias SU = /usr/bin/su
+Cmnd_Alias SHUTDOWN = /sbin/shutdown
+Cmnd_Alias HALT = /sbin/halt
+Cmnd_Alias REBOOT = /sbin/reboot
+Cmnd_Alias SHELLS = /bin/sh, /bin/sh, /bin/csh, /bin/ksh, /bin/rsh, \
+ /bin/tcsh, /bin/zsh
+Cmnd_Alias SU = /bin/su
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
@@ -82,7 +81,7 @@
sudoedit /etc/printcap, /usr/oper/bin/
# joe may su only to operator
-joe ALL = /usr/bin/su operator
+joe ALL = /bin/su operator
# pete may change passwords for anyone but root on the hp snakes
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
@@ -96,13 +95,13 @@
# users in the secretaries netgroup need to help manage the printers
# as well as add and remove users
-+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
++secretaries ALL = PRINTING, /usr/sbin/useradd, /usr/sbin/userdel
# fred can run commands as oracle or sybase without a password
fred ALL = (DB) NOPASSWD: ALL
# on the alphas, john may su to anyone but root and flags are not allowed
-john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+john ALPHA = /usr/bin/su [!-]*, !/bin/su *root*
# jen can run anything on all machines except the ones
# in the "SERVERS" Host_Alias
@@ -123,7 +122,7 @@
# users in the WEBMASTERS User_Alias (will, wendy, and wim)
# may run any command as user www (which owns the web pages)
# or simply su to www.
-WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+WEBMASTERS www = (www) ALL, (root) /bin/su www
# anyone can mount/unmount a cd-rom on the machines in the CDROM alias
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\

View File

@ -1,12 +0,0 @@
diff -Nru sudo-1.7.0.orig/defaults.c sudo-1.7.0/defaults.c
--- sudo-1.7.0.orig/defaults.c 2008-11-09 15:13:12.000000000 +0100
+++ sudo-1.7.0/defaults.c 2009-01-05 05:08:06.000000000 +0100
@@ -428,7 +428,7 @@
def_askpass = estrdup(_PATH_SUDO_ASKPASS);
#endif
def_sudoers_locale = estrdup("C");
- def_env_reset = TRUE;
+ def_env_reset = FALSE;
def_set_logname = TRUE;
def_closefrom = STDERR_FILENO + 1;

View File

@ -1,12 +0,0 @@
--- sudo-1.8.6p4/src/sudo.c.orig 2013-01-23 14:31:28.959527349 +0100
+++ sudo-1.8.6p4/src/sudo.c 2013-01-23 14:31:32.840488423 +0100
@@ -184,9 +184,6 @@
# endif
#endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
- /* Make sure we are setuid root. */
- sudo_check_suid(argv[0]);
-
/* Reset signal mask, save signal state and make sure fds 0-2 are open. */
(void) sigemptyset(&mask);
(void) sigprocmask(SIG_SETMASK, &mask, NULL);

View File

@ -2,5 +2,4 @@
auth include system-auth
account include system-auth
password include system-auth
session required pam_limits.so
session include system-auth

View File

@ -1,11 +1,9 @@
%define sysadmin_groupid 30
%define sysadmin_name sysadmin
%define with_exempt 0
Name: sudo
Version: 1.9.15p5
Release: 1mamba
Release: 2mamba
Summary: Allows restricted root access for specified users
Group: System/Tools
Vendor: openmamba
@ -15,13 +13,6 @@ URL: https://www.sudo.ws/sudo/
Source0: https://www.sudo.ws/dist/sudo-%{version}.tar.gz
Source1: %{name}-sudoers.conf
Source2: %{name}-pam.conf
Patch2: %{name}-1.6.8p9-samples.patch
Patch3: %{name}-1.6.8p9-can_2005_2959.patch
Patch4: %{name}-1.6.8p12-can_2006_0151.patch
Patch5: %{name}-1.6.8p12-badenv_table_more.patch
Patch6: %{name}-1.6.8p12-sudoers_man.patch
Patch7: %{name}-1.7.0-disable_env_reset.patch
Patch8: %{name}-1.8.6p4-qemu_no_geteuid.patch
License: BSD
## AUTOBUILDREQ-BEGIN
BuildRequires: glibc-devel
@ -47,13 +38,6 @@ The basic philosophy is to give as few privileges as possible but still allow pe
%prep
%setup -q
#%patch2 -p1
#%patch4 -p1 -b .can_2006_0151
%if %with_exempt
%patch 6 -p1 -b .sudoers_man
%endif
#%patch7 -p1
#%patch8 -p1
%build
%configure \
@ -62,6 +46,8 @@ The basic philosophy is to give as few privileges as possible but still allow pe
%if "%{stage1}" != "1"
--with-ldap \
%endif
--with-logfac=auth \
--enable-tmpfiles.d \
--with-pam \
--without-rpath \
--with-tty-tickets \
@ -70,20 +56,14 @@ The basic philosophy is to give as few privileges as possible but still allow pe
--with-ignore-dot \
--with-all-insults \
--without-lecture \
--with-secure-path="\
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kde/bin:/opt/kde3/bin" \
--with-fqdn \
--with-passprompt="[sudo] password for %p: " \
--with-rundir=/run/sudo \
%if %with_exempt
--with-exempt=%{sysadmin_name} \
%endif
--with-all-insults \
--disable-root-mailer \
--with-sendmail=/usr/sbin/sendmail \
--disable-setresuid
# --disable-envreset
# --with-password-timeout=0
%make
%install
@ -148,7 +128,6 @@ exit 0
%{_libexecdir}/sudo/group_file.so
%{_libexecdir}/sudo/libsudo_util.so
%{_libexecdir}/sudo/libsudo_util.so.*
#%{_libexecdir}/sudo/sample_approval.so
%{_libexecdir}/sudo/sudo_intercept.so
%{_libexecdir}/sudo/sudo_noexec.so
%{_libexecdir}/sudo/sudoers.so
@ -172,9 +151,12 @@ exit 0
%{_mandir}/man8/sudo_sendlog.8*
%{_mandir}/man8/visudo.*
%doc LICENSE.md
#%doc ChangeLog README README.LDAP
%changelog
* Sun Apr 07 2024 Silvan Calarco <silvan.calarco@mambasoft.it> 1.9.15p5-2mamba
- sudo-pam.conf: remove required pam_limits.so and use system defaults for session (fixes running in docker container)
- configure cleanups and improvements
* Mon Feb 12 2024 Automatic Build System <autodist@openmamba.org> 1.9.15p5-1mamba
- automatic update by autodist