sudo-pam.conf: remove required pam_limits.so and use system defaults for session (fixes running in docker container)

configure cleanups and improvements [release 1.9.15p5-2mamba;Sun Apr 07 2024]

sudo-1.6.8p12-badenv_table_more.patch

@@ -1,20 +0,0 @@
---- sudo-1.6.8p12/env.c	2006-04-05 11:26:20.000000000 +0200
-+++ sudo-1.6.8p12-fix/env.c	2006-04-05 11:32:13.000000000 +0200
-@@ -124,12 +124,17 @@
-     "TERMCAP",			/* XXX - only if it starts with '/' */
-     "ENV",
-     "BASH_ENV",
-+    "GLOBIGNORE",
-     "PS4",
-     "SHELLOPTS",
-     "JAVA_TOOL_OPTIONS",
-     "PERLLIB",
-+    "PERL5DB",
-     "PERL5LIB",
-     "PERL5OPT",
-+    "PYTHONHOME",
-+    "PYTHONPATH",
-+    "PYTHONINSPECT",
-     NULL
- };
- 

sudo-1.6.8p12-can_2006_0151.patch

@@ -1,41 +0,0 @@
---- sudo-1.6.8p12/env.c	2006-02-06 14:23:31.000000000 +0100
-+++ sudo-1.6.8p12-fix/env.c	2006-02-06 14:31:06.000000000 +0100
-@@ -142,6 +142,7 @@
-     "LC_*",
-     "LANG",
-     "LANGUAGE",
-+    "TERM",
-     NULL
- };
- 
-@@ -440,6 +441,7 @@
- 	    }
- 
- 	    /* Skip anything listed in env_delete. */
-+#if 0
- 	    for (cur = def_env_delete; cur && okvar; cur = cur->next) {
- 		len = strlen(cur->value);
- 		/* Deal with '*' wildcard */
-@@ -453,9 +455,10 @@
- 		    okvar = 0;
- 		}
- 	    }
-+#endif
- 
- 	    /* Check certain variables for '%' and '/' characters. */
--	    for (cur = def_env_check; cur && okvar; cur = cur->next) {
-+	    for (cur = def_env_check; cur; cur = cur->next) {
- 		len = strlen(cur->value);
- 		/* Deal with '*' wildcard */
- 		if (cur->value[len - 1] == '*') {
-@@ -465,8 +468,8 @@
- 		    iswild = 0;
- 		if (strncmp(cur->value, *ep, len) == 0 &&
- 		    (iswild || (*ep)[len] == '=') &&
--		    strpbrk(*ep, "/%")) {
--		    okvar = 0;
-+		    strpbrk(*ep, "/%") == NULL) {
-+		    okvar = 1;
- 		}
- 	    }
- 

sudo-1.6.8p12-sudoers_man.patch

@@ -1,11 +0,0 @@
---- sudo-1.6.8p12/sudoers.man.in	2005-11-08 19:22:19.000000000 +0100
-+++ sudo-1.6.8p12-fix/sudoers.man.in	2006-04-05 11:08:00.000000000 +0200
-@@ -759,7 +759,7 @@
- .IP "exempt_group" 12
- .IX Item "exempt_group"
- Users in this group are exempt from password and \s-1PATH\s0 requirements.
--This is not set by default.
-+On QiLinux systems, this is set to the group 'sysadmin' by default.
- .IP "verifypw" 12
- .IX Item "verifypw"
- This option controls when a password will be required when a user runs

sudo-1.6.8p9-can_2005_2959.patch

@@ -1,11 +0,0 @@
---- sudo-1.6.8p9/env.c.orig	2005-10-26 08:53:26.000000000 +0200
-+++ sudo-1.6.8p9/env.c	2005-10-26 08:56:21.000000000 +0200
-@@ -89,6 +89,8 @@
- static const char *initial_badenv_table[] = {
-     "IFS",
-     "CDPATH",
-+    "SHELLOPTS",
-+    "PS4",
-     "LOCALDOMAIN",
-     "RES_OPTIONS",
-     "HOSTALIASES",

sudo-1.6.8p9-samples.patch

@@ -1,72 +0,0 @@
-diff -ru sudo-1.6.8p9/ins_classic.h sudo-1.6.8p9-qifix/ins_classic.h
---- sudo-1.6.8p9/ins_classic.h	2004-02-13 21:36:43.000000000 +0000
-+++ sudo-1.6.8p9-qifix/ins_classic.h	2005-09-30 09:22:24.000000000 +0000
-@@ -32,7 +32,7 @@
-     "Where did you learn to type?",
-     "Are you on drugs?",
-     "My pet ferret can type better than you!",
--    "You type like i drive.",
-+    "You type like I drive.",
-     "Do you think like you type?",
-     "Your mind just hasn't been the same since the electro-shock, has it?",
- 
-diff -ru sudo-1.6.8p9/sample.sudoers sudo-1.6.8p9-qifix/sample.sudoers
---- sudo-1.6.8p9/sample.sudoers	2004-05-17 22:31:35.000000000 +0000
-+++ sudo-1.6.8p9-qifix/sample.sudoers	2005-09-30 09:31:59.000000000 +0000
-@@ -36,15 +36,14 @@
- ##
- Cmnd_Alias	DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \
- 			/usr/sbin/rrestore, /usr/bin/mt
--Cmnd_Alias	KILL = /usr/bin/kill
-+Cmnd_Alias	KILL = /bin/kill
- Cmnd_Alias	PRINTING = /usr/sbin/lpc, /usr/bin/lprm
--Cmnd_Alias	SHUTDOWN = /usr/sbin/shutdown
--Cmnd_Alias	HALT = /usr/sbin/halt
--Cmnd_Alias	REBOOT = /usr/sbin/reboot
--Cmnd_Alias	SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
--			 /usr/local/bin/tcsh, /usr/bin/rsh, \
--			 /usr/local/bin/zsh
--Cmnd_Alias	SU = /usr/bin/su
-+Cmnd_Alias	SHUTDOWN = /sbin/shutdown
-+Cmnd_Alias	HALT = /sbin/halt
-+Cmnd_Alias	REBOOT = /sbin/reboot
-+Cmnd_Alias	SHELLS = /bin/sh, /bin/sh, /bin/csh, /bin/ksh, /bin/rsh, \
-+                         /bin/tcsh, /bin/zsh
-+Cmnd_Alias	SU = /bin/su
- Cmnd_Alias	VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
- 		       /usr/bin/chfn
- 
-@@ -82,7 +81,7 @@
- 		sudoedit /etc/printcap, /usr/oper/bin/
- 
- # joe may su only to operator
--joe		ALL = /usr/bin/su operator
-+joe		ALL = /bin/su operator
- 
- # pete may change passwords for anyone but root on the hp snakes
- pete		HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
-@@ -96,13 +95,13 @@
- 
- # users in the secretaries netgroup need to help manage the printers
- # as well as add and remove users
--+secretaries	ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-++secretaries	ALL = PRINTING, /usr/sbin/useradd, /usr/sbin/userdel
- 
- # fred can run commands as oracle or sybase without a password
- fred		ALL = (DB) NOPASSWD: ALL
- 
- # on the alphas, john may su to anyone but root and flags are not allowed
--john		ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-+john		ALPHA = /usr/bin/su [!-]*, !/bin/su *root*
- 
- # jen can run anything on all machines except the ones
- # in the "SERVERS" Host_Alias
-@@ -123,7 +122,7 @@
- # users in the WEBMASTERS User_Alias (will, wendy, and wim)
- # may run any command as user www (which owns the web pages)
- # or simply su to www.
--WEBMASTERS	www = (www) ALL, (root) /usr/bin/su www
-+WEBMASTERS	www = (www) ALL, (root) /bin/su www
- 
- # anyone can mount/unmount a cd-rom on the machines in the CDROM alias
- ALL		CDROM = NOPASSWD: /sbin/umount /CDROM,\

sudo-1.7.0-disable_env_reset.patch

@@ -1,12 +0,0 @@
-diff -Nru sudo-1.7.0.orig/defaults.c sudo-1.7.0/defaults.c
---- sudo-1.7.0.orig/defaults.c	2008-11-09 15:13:12.000000000 +0100
-+++ sudo-1.7.0/defaults.c	2009-01-05 05:08:06.000000000 +0100
-@@ -428,7 +428,7 @@
-     def_askpass = estrdup(_PATH_SUDO_ASKPASS);
- #endif
-     def_sudoers_locale = estrdup("C");
--    def_env_reset = TRUE;
-+    def_env_reset = FALSE;
-     def_set_logname = TRUE;
-     def_closefrom = STDERR_FILENO + 1;
- 

sudo-1.8.6p4-qemu_no_geteuid.patch

@@ -1,12 +0,0 @@
---- sudo-1.8.6p4/src/sudo.c.orig	2013-01-23 14:31:28.959527349 +0100
-+++ sudo-1.8.6p4/src/sudo.c	2013-01-23 14:31:32.840488423 +0100
-@@ -184,9 +184,6 @@
- # endif
- #endif /* HAVE_GETPRPWNAM && HAVE_SET_AUTH_PARAMETERS */
- 
--    /* Make sure we are setuid root. */
--    sudo_check_suid(argv[0]);
--
-     /* Reset signal mask, save signal state and make sure fds 0-2 are open. */
-     (void) sigemptyset(&mask);
-     (void) sigprocmask(SIG_SETMASK, &mask, NULL);

sudo-pam.conf

@@ -2,5 +2,4 @@
 auth       include      system-auth
 account    include      system-auth
 password   include      system-auth
-session    required     pam_limits.so
-
+session    include      system-auth

sudo.spec

@@ -1,11 +1,9 @@
 %define sysadmin_groupid 30
 %define sysadmin_name    sysadmin
 
-%define with_exempt 0
-
 Name:          sudo
 Version:       1.9.15p5
-Release:       1mamba
+Release:       2mamba
 Summary:       Allows restricted root access for specified users
 Group:         System/Tools
 Vendor:        openmamba
@@ -15,13 +13,6 @@ URL:           https://www.sudo.ws/sudo/
 Source0:       https://www.sudo.ws/dist/sudo-%{version}.tar.gz
 Source1:       %{name}-sudoers.conf
 Source2:       %{name}-pam.conf
-Patch2:        %{name}-1.6.8p9-samples.patch
-Patch3:        %{name}-1.6.8p9-can_2005_2959.patch
-Patch4:        %{name}-1.6.8p12-can_2006_0151.patch
-Patch5:        %{name}-1.6.8p12-badenv_table_more.patch
-Patch6:        %{name}-1.6.8p12-sudoers_man.patch
-Patch7:        %{name}-1.7.0-disable_env_reset.patch
-Patch8:        %{name}-1.8.6p4-qemu_no_geteuid.patch
 License:       BSD
 ## AUTOBUILDREQ-BEGIN
 BuildRequires: glibc-devel
@@ -47,13 +38,6 @@ The basic philosophy is to give as few privileges as possible but still allow pe
 
 %prep
 %setup -q
-#%patch2 -p1
-#%patch4 -p1 -b .can_2006_0151
-%if %with_exempt
-%patch 6 -p1 -b .sudoers_man
-%endif
-#%patch7 -p1
-#%patch8 -p1
 
 %build
 %configure \
@@ -62,6 +46,8 @@ The basic philosophy is to give as few privileges as possible but still allow pe
 %if "%{stage1}" != "1"
    --with-ldap \
 %endif
+   --with-logfac=auth \
+   --enable-tmpfiles.d \
    --with-pam \
    --without-rpath \
    --with-tty-tickets \
@@ -70,20 +56,14 @@ The basic philosophy is to give as few privileges as possible but still allow pe
    --with-ignore-dot \
    --with-all-insults \
    --without-lecture \
-   --with-secure-path="\
-/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/kde/bin:/opt/kde3/bin" \
    --with-fqdn \
+   --with-passprompt="[sudo] password for %p: " \
    --with-rundir=/run/sudo \
-%if %with_exempt
-   --with-exempt=%{sysadmin_name} \
-%endif
+   --with-all-insults \
    --disable-root-mailer \
    --with-sendmail=/usr/sbin/sendmail \
    --disable-setresuid
 
-#   --disable-envreset
-#  --with-password-timeout=0
-
 %make
 
 %install
@@ -148,7 +128,6 @@ exit 0
 %{_libexecdir}/sudo/group_file.so
 %{_libexecdir}/sudo/libsudo_util.so
 %{_libexecdir}/sudo/libsudo_util.so.*
-#%{_libexecdir}/sudo/sample_approval.so
 %{_libexecdir}/sudo/sudo_intercept.so
 %{_libexecdir}/sudo/sudo_noexec.so
 %{_libexecdir}/sudo/sudoers.so
@@ -172,9 +151,12 @@ exit 0
 %{_mandir}/man8/sudo_sendlog.8*
 %{_mandir}/man8/visudo.*
 %doc LICENSE.md
-#%doc ChangeLog README README.LDAP
 
 %changelog
+* Sun Apr 07 2024 Silvan Calarco <silvan.calarco@mambasoft.it> 1.9.15p5-2mamba
+- sudo-pam.conf: remove required pam_limits.so and use system defaults for session (fixes running in docker container)
+- configure cleanups and improvements
+
 * Mon Feb 12 2024 Automatic Build System <autodist@openmamba.org> 1.9.15p5-1mamba
 - automatic update by autodist