commit sudo for openSUSE:Factory
Hello community,
here is the log from the commit of package sudo for openSUSE:Factory
checked in at Thu Jul 16 16:55:43 CEST 2009.
--------
--- sudo/sudo.changes 2009-04-27 17:37:58.000000000 +0200
+++ sudo/sudo.changes 2009-07-13 14:59:30.000000000 +0200
@@ -1,0 +2,36 @@
+Mon Jul 13 14:43:20 CEST 2009 - prusnak@suse.cz
+
+- updated to 1.7.2
+ * A new #includedir directive is available in sudoers. This can be
+ used to implement an /etc/sudo.d directory. Files in an includedir
+ are not edited by visudo unless they contain a syntax error.
+ * The -g option did not work properly when only setting the group
+ (and not the user). Also, in -l mode the wrong user was displayed
+ for sudoers entries where only the group was allowed to be set.
+ * Fixed a problem with the alias checking in visudo which
+ could prevent visudo from exiting.
+ * Sudo will now correctly parse the shell-style /etc/environment
+ file format used by pam_env on Linux.
+ * When doing password and group database lookups, sudo will only
+ cache an entry by name or by id, depending on how the entry was
+ looked up. Previously, sudo would cache by both name and id
+ from a single lookup, but this breaks sites that have multiple
+ password or group database names that map to the same uid or
+ gid.
+ * User and group names in sudoers may now be enclosed in double
+ quotes to avoid having to escape special characters.
+ * BSM audit fixes when changing to a non-root uid.
+ * Experimental non-Unix group support. Currently only works with
+ Quest Authorization Services and allows Active Directory groups
+ fixes for Minix-3.
+ * For Netscape/Mozilla-derived LDAP SDKs the certificate and key
+ paths may be specified as a directory or a file. However, version
+ 5.0 of the SDK only appears to support using a directory (despite
+ documentation to the contrary). If SSL client initialization
+ fails and the certificate or key paths look like they could be
+ default file name, strip off the last path element and try again.
+ * A setenv() compatibility fix for Linux systems, where a NULL
+ value is treated the same as an empty string and the variable
+ name is checked against the NULL pointer.
+
+-------------------------------------------------------------------
calling whatdependson for head-i586
Old:
----
sudo-1.7.1.pamd
sudo-1.7.1.tar.bz2
New:
----
sudo-1.7.2.tar.bz2
sudo.pamd
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.4LUkOk/_old 2009-07-16 16:54:33.000000000 +0200
+++ /var/tmp/diff_new_pack.4LUkOk/_new 2009-07-16 16:54:33.000000000 +0200
@@ -1,5 +1,5 @@
#
-# spec file for package sudo (Version 1.7.1)
+# spec file for package sudo (Version 1.7.2)
#
# Copyright (c) 2009 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
@@ -22,23 +22,22 @@
BuildRequires: openldap2-devel pam-devel postfix
BuildRequires: libselinux-devel
PreReq: coreutils
-Version: 1.7.1
+Version: 1.7.2
Release: 1
-AutoReqProv: on
Group: System/Base
-License: BSD 3-Clause
+License: BSD 3-clause (or similar)
Url: http://www.sudo.ws/
Summary: Execute some commands as root
Source0: %{name}-%{version}.tar.bz2
-Source1: %{name}-%{version}.pamd
+Source1: %{name}.pamd
Source2: README.SUSE
-Patch1: %{name}-%{version}-defaults.diff
-Patch2: %{name}-%{version}-sudoers.diff
-Patch3: %{name}-%{version}-__P.diff
-Patch4: %{name}-%{version}-strip.diff
-Patch5: %{name}-%{version}-secure_path.diff
-Patch6: %{name}-%{version}-env.diff
-Patch7: %{name}-%{version}-pam_rhost.diff
+Patch1: %{name}-1.7.1-defaults.diff
+Patch2: %{name}-1.7.1-sudoers.diff
+Patch3: %{name}-1.7.1-__P.diff
+Patch4: %{name}-1.7.1-strip.diff
+Patch5: %{name}-1.7.1-secure_path.diff
+Patch6: %{name}-1.7.1-env.diff
+Patch7: %{name}-1.7.1-pam_rhost.diff
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
@@ -67,7 +66,7 @@
%patch5
%patch6
%patch7
-cp %{S:1} %{S:2} .
+cp %{SOURCE2} .
%build
%ifarch s390 s390x
@@ -99,7 +98,7 @@
make DESTDIR=$RPM_BUILD_ROOT install
install -d -m 700 $RPM_BUILD_ROOT/var/run/sudo
install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/pam.d
-install -m 644 sudo-%{version}.pamd $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/sudo
+install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/sudo
install -m 755 sudoers2ldif $RPM_BUILD_ROOT%{_sbindir}/sudoers2ldif
rm -f $RPM_BUILD_ROOT%{_bindir}/sudoedit
ln -sf %{_bindir}/sudo $RPM_BUILD_ROOT%{_bindir}/sudoedit
@@ -123,402 +122,3 @@
/var/run/sudo
%changelog
-* Mon Apr 27 2009 prusnak@suse.cz
-- updated to 1.7.1
- * A new Defaults option "pwfeedback" will cause sudo to provide visual
- feedback when the user is entering a password.
- * A new Defaults option "fast_glob" will cause sudo to use the fnmatch()
- function for file name globbing instead of glob(). When this option
- is enabled, sudo will not check the file system when expanding wildcards.
- This is faster but a side effect is that relative paths with wildcard
- will no longer work.
- * The file name specified with the #include directive may now include
- a %%h escape which is expanded to the short form of hostname.
- * The -k flag may now be specified along with a command, causing the
- user's timestamp file to be ignored.
- * The unused alias checks in visudo now handle the case of an alias
- referring to another alias.
-* Mon Jan 26 2009 prusnak@suse.cz
-- updated to 1.7.0
- * Rewritten parser that converts sudoers into a set of data structures.
- This eliminates a number of ordering issues and makes it possible to
- apply sudoers Defaults entries before searching for the command. It
- also adds support for per-command Defaults specifications.
- * Sudoers now supports a #include facility to allow the inclusion of
- other sudoers-format files.
- * Sudo's -l (list) flag has been enhanced:
- o applicable Defaults options are now listed
- o a command argument can be specified for testing whether a user may run
- a specific command.
- o a new -U flag can be used in conjunction with sudo -l to allow root
- (or a user with sudo ALL) to list another user's privileges.
- * A new -g flag has been added to allow the user to specify a primary group
- to run the command as. The sudoers syntax has been extended to include
- a group section in the Runas specification.
- * A uid may now be used anywhere a username is valid.
- * The secure_path run-time Defaults option has been restored.
- * Password and group data is now cached for fast lookups.
- * The file descriptor at which sudo starts closing all open files is now
- configurable via sudoers and, optionally, the command line.
- * visudo will now warn about aliases that are defined but not used.
- * The -i and -s command line flags now take an optional command to be run
- via the shell. Previously, the argument was passed to the shell as
- a script to run.
- * Improved LDAP support. SASL authentication may now be used in conjunction
- when connecting to an LDAP server. The krb5_ccname parameter in ldap.conf
- may be used to enable Kerberos.
- * Support for /etc/nsswitch.conf. LDAP users may now use nsswitch.conf
- to specify the sudoers order. E.g.:
- sudoers: ldap files
- to check LDAP, then /etc/sudoers. The default is files, even when LDAP
- support is compiled in. This differs from sudo 1.6 where LDAP was always
- consulted first.
- * Support for /etc/environment on AIX and Linux. If sudo is run with the -i
- flag, the contents of /etc/environment are used to populate the new
- environment that is passed to the command being run.
- * Sudo now ignores user .ldaprc files as well as system LDAP defaults.
- All LDAP configuration is now in /etc/ldap.conf (or whichever file was
- specified by configure's --with-ldap-conf-file option). If you are using
- TLS, you may now need to specify:
- tls_checkpeer no
- in sudo's ldap.conf unless ldap.conf references a valid certificate
- authority file(s).
- * If no terminal is available or if the new -A flag is specified, sudo
- will use a helper program to read the password if one is configured.
- Typically, this is a graphical password prompter such as ssh-askpass.
- * A new Defaults option, "mailfrom" that sets the value of the "From:"
- field in the warning/error mail. If unspecified, the login name of
- the invoking user is used.
- * Resource limits are now set to the default value for the user the command
- is being run as on AIX systems.
- * A new Defaults option, "env_file" that refers to a file containing
- environment variables to be set in the command being run.
- * A new -n flag is available which may be used to indicate that sudo should
- not prompt the user for a password and, instead, exit with an error if
- authentication is required.
- * A new Defaults option, "sudoers_locale" that can be used to set the locale
- to be used when parsing the sudoers file.
- * sudoedit now checks the EDITOR and VISUAL environment variables to make sure
- sudoedit is not re-invoking itself (or sudo). This allows one to set EDITOR
- to sudoedit without getting into an infinite loop for programs that need
- to invoke an editor such as crontab(1). Also added SUDO_EDITOR environment
- variable which is used by sudoedit in preference to EDITOR/VISUAL.
- * The versions of glob(3) and fnmatch(3) bundled with sudo now support POSIX
- character classes.
- * If sudo needs to prompt for a password and it is unable to disable echo
- (and no askpass program is defined), it will refuse to run unless the
- "visiblepw" Defaults option has been specified.
- * Prior to version 1.7.0, hitting enter/return at the Password: prompt would
- exit sudo. In sudo 1.7.0 and beyond, this is treated as an empty password.
- To exit sudo, the user must now press ^C or ^D at the prompt.
-* Wed Aug 20 2008 prusnak@suse.cz
-- enabled SELinux support [Fate#303662]
-- added comment about !env_reset into sudoers file
-* Wed Aug 06 2008 prusnak@suse.cz
-- updated to 1.6.9p17
- * The -i flag should imply resetting the environment, as it did in
- sudo version prior to 1.6.9. Also, the -i and -E flags are
- mutually exclusive.
- * Fixed the configure test for dirfd() under Linux.
- * Fixed test for whether -lintl is required to link.
- * Changed how sudo handles the child process when sending mail.
- This fixes a problem on Linux with the mail_always option.
- * Fixed a problem with line continuation characters inside of
- quoted strings.
-- updated to 1.6.9p16
- * There was a missing space before the ldap libraries in the Makefile
- for some configurations.
- * LDAPS_PORT may not be defined on older Solaris LDAP SDKs.
- * If the LDAP server could not be contacted and the user was not present
- in sudoers, a syntax error in sudoers was incorrectly reported.
-* Wed Jul 30 2008 prusnak@suse.cz
-- fix note in manpage (added to sudoers.diff) [bnc#404710]
-- added commented 'session optional pam_xauth.so' to pam [bnc#402818]
-* Tue May 06 2008 prusnak@suse.cz
-- do not set PAM_RHOST (pam_rhost.diff) [bnc#386587]
-* Thu Apr 24 2008 prusnak@suse.cz
-- updated to 1.6.9p15
- * updated libtool to version 1.5.26
- * fixed printing of default SELinux role and type in -V mode
- * the HOME environment variable is once again preserved by default,
- as per the documentation
-* Wed Mar 19 2008 prusnak@suse.cz
-- updated to 1.6.9p14
- * Moved LDAP options into a table for simplified parsing/setting.
- * Fixed a problem with how some LDAP options were being applied.
- * Added support for connecting directly to LDAP servers via SSL
- in addition to the existing start_tls support.
- * Fixed a compilation problem on SCO related to how they
- store the high resolution timestamps in struct stat.
- * Avoid checking the passwd file group multiple times
- in the LDAP query when the user's passwd group is also
- listed in the supplemental group vector.
- * The URI specifier can now be used in ldap.conf even when
- the LDAP SDK doesn't support ldap_initialize().
- * New %%p prompt escape that expands to the user whose password
- is being prompted, as specified by the rootpw, targetpw and
- runaspw sudoers flags. Based on a diff from Patrick Schoenfeld.
- * Added a configure check for the ber_set_option() function.
- * Fixed a compilation problem with the HP-UX K&R C compiler.
- * Revamped the Kerberos 5 ticket verification code.
- * Added support for the checkpeer ldap.conf variable for
- netscape-based LDAP SDKs.
- * Fixed a problem where an incomplete password could be echoed
- to the screen if there was a read timeout.
- * Sudo will now set the nproc resource limit to unlimited on Linux
- systems to work around Linux's setuid() resource limit semantics.
- On PAM systems the resource limits will be reset by pam_limits.so
- before the command is executed.
- * SELinux support that can be used to implement role based access
- control (RBAC). A role and (optional) type may be specified
- in sudoers or on the command line. These are then used in the
- security context that the command is run as.
- * Fixed a Kerberos 5 compilation problem with MIT Kerberos.
- * Fixed an invalid assumption in the PAM conversation function
- introduced in version 1.6.9p9. The conversation function may
- be called for non-password reading purposes as well.
- * Fixed freeing an uninitialized pointer in -l mode, introduced in
- version 1.6.9p13.
- * Check /etc/sudoers after LDAP even if the user was found in LDAP.
- This allows Defaults options in /etc/sudoers to take effect.
- * Add missing checks for enforcing mode in SELinux RBAC mode.
-- dropped obsoleted patch:
- * prompt.patch (included in update)
-* Tue Dec 04 2007 prusnak@suse.cz
-- updated to 1.6.9p9
- * the ALL command in sudoers now implies SETENV permissions
- * the command search is now performed using the target user's
- auxiliary group vector too
- * when determining if the PAM prompt is the default "Password: ",
- compare the localized version if possible
- * added passprompt_override flag to sudoers to cause sudo's prompt
- to be used in all cases, also set when the -p flag is used
-* Tue Nov 06 2007 prusnak@suse.cz
-- updated to 1.6.9p8
- * fixed a bug where a sudoers entry with no runas user specified
- was treated differently from a line with the default runas user
- explicitly specified
-* Tue Oct 30 2007 prusnak@suse.cz
-- updated to 1.6.9p7
- * go back to using TCSAFLUSH instead of TCSADRAIN when turning off
- echo during password reading
- * fixed a configure bug that was preventing the addition of -lutil
- for login.conf support on FreeBSD and NetBSD
- * add configure check for struct in6_addr since some systems define
- AF_INET6 but have no real IPv6 support
-* Wed Oct 10 2007 prusnak@suse.cz
-- update to 1.6.9p6
- * worked around bugs in the session support of some PAM
- implementations
- * the full tty path is now passed to PAM as well
- * sudo now only prints the password prompt if the process is in
- the foreground
- * inttypes.h is now included when appropriate if it is present
- * simplified alias allocation in the parser
-* Tue Sep 25 2007 prusnak@suse.cz
-- update to 1.6.9p5
- * fixed a bug related to supplemental group matching
- * added IPv6 support from YOSHIFUJI Hideaki
- * fixed the sudo_noexec installation path
- * fixed a compilation error on old K&R-style compilers
- * fixed a bug in the IP address matching introduced by the IPV6 merge
- * for "visudo -f file" we now use the permissions of the original file
- and not the hard-coded sudoers owner/group/mode
- (this makes it possible to use visudo with a revision control system)
- * fixed sudoedit when used on a non-existent file
- * regenerated configure using autoconf 2.6.1 and libtool 1.5.24
- * groups and netgroups are now valid in an LDAP sudoRunas statement
-- dropped obsolete patches:
- * groupmatch.patch (included in update)
-* Tue Aug 28 2007 prusnak@suse.cz
-- build --without-secure-path
-- hardcoded secure path changed to /usr/sbin:/bin:/usr/bin:/sbin
- (secure_path.diff)
-- user can now add PATH variable to env_keep in /etc/sudoers
-* Tue Aug 14 2007 prusnak@suse.cz
-- added XDG_SESSION_COOKIE to env_keep variables [#298943]
-- fixed supplemental group matching (groupmatch.patch)
-* Sat Aug 11 2007 schwab@suse.de
-- Avoid command line parsing bug in autoconf < 2.59c.
-* Tue Jul 31 2007 prusnak@suse.cz
-- updated to 1.6.9p2
- * fixed a crash in the error logging function
- * worked around a crash when no tty was present in some PAM
- implementations
- * fixed updating of the saved environment when the environ pointer
- gets changed out from underneath us
-* Tue Jul 24 2007 prusnak@suse.cz
-- updated to 1.6.9
- * added to the list of variables to remove from the environment
- * fixed a Kerberos V security issue that could allow a user to
- authenticate using a fake KDC
- * PAM is now the default on systems where it is supported
- * removed POSIX saved uid use; the stay_setuid option now requires
- the setreuid() or setresuid() functions to work
- * fixed fd leak when lecture file option is enabled
- * PAM fixes
- * security fix for Kerberos5
- * fixed securid5 authentication
- * added fcntl F_CLOSEM support to closefrom()
- * sudo now uses the supplemental group vector for matching
- * added more environment variables to remove by default
- * mail from sudo now includes an Auto-Submitted: auto-generated header
- * reworked the environment handling code
- * remove the --with-execv option, it was not useful
- * use TCSADRAIN instead of TCSAFLUSH in tgetpass() since some OSes
- have issues with TCSAFLUSH
- * use glob(3) instead of fnmatch(3) for matching pathnames
- * reworked the syslog long line splitting code based on changes
- from Eygene Ryabinkin
- * visudo will now honor command line arguments in the EDITOR or VISUAL
- environment variables if env_editor is enabled
- * LDAP now honors rootbinddn, timelimit and bind_timelimit in /etc/ldap.conf
- * For LDAP, do a sub tree search instead of a base search (one level in
- the tree only) for sudo right objects
- * env_reset option is now enabled by default
- * moved LDAP schema data into separate files
- * sudo no longer assumes that gr_mem in struct group is non-NULL
- * added support for setting environment variables on the command line
- if the command has the SETENV attribute set in sudoers
- * added a -E flag to preserve the environment if the SETENV attribute
- has been set
- * sudoers2ldif script now parses Runas users
- * -- flag now behaves as documented
- * sudo -k/-K no longer cares if the timestamp is in the future
- * when searching for the command, sudo now uses the effective gid of
- the runas user
- * sudo no longer updates the timestamp if not validated by sudoers
- * now rebuild environment regardless of how sudo was invoked
- * more accurate usage() when called as sudoedit
- * command line environment variables are now treated like normal
- environment variables unless the SETENV tag is set
- * better explanation of environment handling in the sudo man page
-- changed '/usr/bin/env perl' to '/usr/bin/env' in sudoers2ldif
- script (env.diff)
-- dropped obsoleted patches:
- * sudo-1.6.8p12-conf.diff
- * sudo-1.6.8p12-configure.diff
-* Tue Jul 17 2007 prusnak@suse.cz
-- added note about special input method variables into /etc/sudoers
- (sudoers.diff) [#222728]
-* Fri Jan 26 2007 prusnak@suse.cz
-- packaged script sudoers2ldif
- * can be used for importing /etc/sudoers to LDAP
- * more info at http://www.sudo.ws/sudo/readme_ldap.html
-* Wed Jan 24 2007 prusnak@suse.cz
-- added sudoers permission change to %%post section of spec file
-* Thu Nov 30 2006 prusnak@suse.cz
-- package /etc/sudoers as 0440 [Fate#300934]
-* Wed Nov 29 2006 prusnak@suse.cz
-- protect locale-related environment variables from resetting (sudoers.diff) [#222728]
-* Wed Oct 04 2006 mjancar@suse.cz
-- enable LDAP support (#159774)
-* Wed Jun 14 2006 schwab@suse.de
-- Fix quoting in configure script.
-* Wed Mar 08 2006 mjancar@suse.cz
-- don't limit access to local group users (#151938)
-* Fri Jan 27 2006 mjancar@suse.cz
-- set environment and sudo search PATH to SECURE_PATH
- only when env_reset (#145687)
-* Thu Jan 26 2006 schwab@suse.de
-- Fix syntax error in /etc/sudoers.
-* Thu Jan 26 2006 mjancar@suse.cz
-- fix PATH always reset (#145687)
-* Wed Jan 25 2006 mls@suse.de
-- converted neededforbuild to BuildRequires
-* Sun Jan 15 2006 schwab@suse.de
-- Don't strip binaries.
-* Tue Jan 10 2006 mjancar@suse.cz
-- fix CVE-2005-4158 (#140300)
- * compile with --with-secure-path
- * use always_set_home and env_reset by default
-- document purpose of the default asking for root password
-* Wed Dec 21 2005 mjancar@suse.cz
-- update to 1.6.8p12
-* Fri Dec 09 2005 ro@suse.de
-- disabled selinux
-* Tue Aug 02 2005 mjancar@suse.cz
-- update to 1.6.8p9
-* Mon Jun 20 2005 anicka@suse.cz
-- build position independent binaries
-* Mon Feb 28 2005 ro@suse.de
-- update to 1.6.8p7
-* Mon Nov 15 2004 kukuk@suse.de
-- Use common PAM config files
-* Mon Sep 13 2004 ro@suse.de
-- undef __P first
-* Tue Apr 06 2004 kukuk@suse.de
-- fix default permissions of sudo
-* Fri Mar 26 2004 ro@suse.de
-- added postfix to neededforbuild
-* Wed Feb 25 2004 lnussel@suse.de
-- Add comment and warning for 'Defaults targetpw' to config file
-* Thu Jan 29 2004 kukuk@suse.de
-- Fix sudo configuration broken by last patch
-* Wed Jan 28 2004 kukuk@suse.de
-- Add SELinux patch
-* Thu Jan 22 2004 ro@suse.de
-- package /etc/sudoers as 0640
-* Fri Jan 16 2004 kukuk@suse.de
-- Add pam-devel to neededforbuild
-* Sun Jan 11 2004 adrian@suse.de
-- build as user
-* Fri Nov 07 2003 schwab@suse.de
-- Fix quoting in configure script.
-* Wed Sep 10 2003 mjancar@suse.cz
-- move the defaults to better place in /etc/sudoers (#30282)
-* Mon Aug 25 2003 mjancar@suse.cz
-- update to 1.6.7p5
- * Fixed a problem with large numbers
- of environment variables.
-- more useful defaults (#28056)
-* Wed May 14 2003 mjancar@suse.cz
-- update to version 1.6.7p4
-* Fri Feb 07 2003 kukuk@suse.de
-- Use pam_unix2.so instead of pam_unix.so
-* Wed Jun 05 2002 pmladek@suse.cz
-- updated to version 1.6.6
-- removed obsolete heap-overflow fix in prompt patch
-* Mon Apr 22 2002 pmladek@suse.cz
-- fixed a heap-overflow (prompt patch)
-- fixed prompt behaviour, %% is always translated to %% (prompt patch)
-* Tue Feb 12 2002 pmladek@suse.cz
-- insults are really off by default now [#13134]
-- sudo.pamd moved from patch to sources
-- used %%defattr(-,root,root)
-* Thu Jan 24 2002 postadal@suse.cz
-- updated to version 1.6.5p2
-* Thu Jan 17 2002 pmladek@suse.cz
-- updated to version 1.6.5p1
-- removed obsolete security patch (to do not run mailer as root),
- sudo runs mailer again as root but with hard-coded environment
-* Wed Jan 02 2002 pmladek@suse.cz
-- aplied security patch from Sebastian Krahmer
participants (1)
-
root@hilbert.suse.de