commit sudo.1396 for openSUSE:12.1:Update
Hello community,
here is the log from the commit of package sudo.1396 for openSUSE:12.1:Update checked in at 2013-03-20 10:45:38
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:12.1:Update/sudo.1396 (Old)
and /work/SRC/openSUSE:12.1:Update/.sudo.1396.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo.1396", Maintainer is ""
Changes:
--------
New Changes file:
--- /dev/null 2013-02-26 18:15:11.936010755 +0100
+++ /work/SRC/openSUSE:12.1:Update/.sudo.1396.new/sudo.changes 2013-03-20 10:45:40.000000000 +0100
@@ -0,0 +1,894 @@
+-------------------------------------------------------------------
+Fri Mar 1 11:12:28 UTC 2013 - vcizek@suse.com
+
+- added two security fixes:
+ * CVE-2013-1775 (bnc#806919)
+ + sudo-1.8.6p3-CVE-2013-1775.patch
+ * CVE-2013-1776 (bnc#806921)
+ + sudo-1.8.6p3-CVE-2013-1776.patch
+
+-------------------------------------------------------------------
+Fri Jun 1 14:37:24 UTC 2012 - vcizek@suse.com
+
+- set global ldap option before ldap init (bnc#760697)
+
+-------------------------------------------------------------------
+Fri May 18 15:05:38 UTC 2012 - vcizek@suse.com
+
+- open and close PAM session in the same process (bnc#751453)
+
+-------------------------------------------------------------------
+Wed May 16 09:27:44 UTC 2012 - vcizek@suse.com
+
+- fix for CVE-2012-2337 (bnc#762327)
+
+-------------------------------------------------------------------
+Mon Jan 30 11:43:47 UTC 2012 - vcizek@suse.com
+
+- fix for CVE-2012-0809 (bnc#743300)
+
+-------------------------------------------------------------------
+Mon Jan 2 16:23:49 UTC 2012 - vcizek@suse.cz
+
+- escape values passed to ldap_search (bnc#724490)
+
+-------------------------------------------------------------------
+Thu Oct 13 00:59:49 UTC 2011 - prusnak@opensuse.org
+
+- updated to sudo-1.8.2
+ * Sudo, visudo, sudoreplay and the sudoers plug-in now have natural
+ language support (NLS). This can be disabled by passing configure
+ the --disable-nls option. Sudo will use gettext(), if available,
+ to display translated messages. All translations are coordinated
+ via The Translation Project, http://translationproject.org/.
+ * Plug-ins are now loaded with the RTLD_GLOBAL flag instead of
+ RTLD_LOCAL. This fixes missing symbol problems in PAM modules
+ on certain platforms, such as FreeBSD and SuSE Linux Enterprise.
+ * I/O logging is now supported for commands run in background mode
+ (using sudo's -b flag).
+ * Group ownership of the sudoers file is now only enforced when
+ the file mode on sudoers allows group readability or writability.
+ * Visudo now checks the contents of an alias and warns about cycles
+ when the alias is expanded.
+ * If the user specifes a group via sudo's -g option that matches
+ the target user's group in the password database, it is now
+ allowed even if no groups are present in the Runas_Spec.
+ * The sudo Makefiles now have more complete dependencies which are
+ automatically generated instead of being maintained manually.
+ * The "use_pty" sudoers option is now correctly passed back to the
+ sudo front end. This was missing in previous versions of sudo
+ 1.8 which prevented "use_pty" from being honored.
+ * "sudo -i command" now works correctly with the bash version
+ 2.0 and higher. Previously, the .bash_profile would not be
+ sourced prior to running the command unless bash was built with
+ NON_INTERACTIVE_LOGIN_SHELLS defined.
+ * When matching groups in the sudoers file, sudo will now match
+ based on the name of the group instead of the group ID. This can
+ substantially reduce the number of group lookups for sudoers
+ files that contain a large number of groups.
+ * Multi-factor authentication is now supported on AIX.
+ * Added support for non-RFC 4517 compliant LDAP servers that require
+ that seconds be present in a timestamp, such as Tivoli Directory Server.
+ * If the group vector is to be preserved, the PATH search for the
+ command is now done with the user's original group vector.
+ * For LDAP-based sudoers, the "runas_default" sudoOption now works
+ properly in a sudoRole that contains a sudoCommand.
+ * Spaces in command line arguments for "sudo -s" and "sudo -i" are
+ now escaped with a backslash when checking the security policy.
+- added missing include (grp-include.patch)
+
+-------------------------------------------------------------------
+Fri May 20 12:10:45 UTC 2011 - puzel@novell.com
+
+- update to sudo-1.8.1p2
+ - Two-character CIDR-style IPv4 netmasks are now matched
+ correctly in the sudoers file.
+ - A non-existent includedir is now treated the same as an empty
+ directory and not reported as an error.
+ - Removed extraneous parens in LDAP filter when
+ sudoers_search_filter is enabled that can cause an LDAP search
+ error.
+ - A new LDAP setting, sudoers_search_filter, has been added to
+ ldap.conf. This setting can be used to restrict the set of
+ records returned by the LDAP query. Based on changes from
+ Matthew Thomas.
+ - White space is now permitted within a User_List when used in
+ conjunction with a per-user Defaults definition.
+ - A group ID (%#gid) may now be specified in a User_List or
+ Runas_List. Likewise, for non-Unix groups the syntax is
+ %:#gid.
+ - Support for double-quoted words in the sudoers file has been
+ fixed. The change in 1.7.5 for escaping the double quote
+ character caused the double quoting to only be available at the
+ beginning of an entry.
+ - The fix for resuming a suspended shell in 1.7.5 caused problems
+ with resuming non-shells on Linux. Sudo will now save the
+ process group ID of the program it is running on suspend and
+ restore it when resuming, which fixes both problems.
+ - A bug that could result in corrupted output in "sudo -l" has
+ been fixed.
+ - Sudo will now create an entry in the utmp (or utmpx) file when
+ allocating a pseudo-tty (e.g. when logging I/O). The
+ "set_utmp" and "utmp_runas" sudoers file options can be used to
+ control this. Other policy plugins may use the "set_utmp" and
+ "utmp_user" entries in the command_info list.
+ - The sudoreplay utility now supports arbitrary session IDs.
+ Previously, it would only work with the base-36 session IDs
+ that the sudoers plugin uses by default.
+ - Sudo now passes "run_shell=true" to the policy plugin in the
+ settings list when sudo's -s command line option is specified.
+ The sudoers policy plugin uses this to implement the "set_home"
+ sudoers option which was missing from sudo 1.8.0.
+ - The "noexec" functionality has been moved out of the sudoers
+ policy plugin and into the sudo front-end, which matches the
+ behavior documented in the plugin writer's guide. As a result,
+ the path to the noexec file is now specified in the sudo.conf
+ file instead of the sudoers file.
+ - The exit values for "sudo -l", "sudo -v" and "sudo -l command"
+ have been fixed in the sudoers policy plugin.
+ - Sudo now parses command line arguments before loading any
+ plugins. This allows "sudo -V" or "sudo -h" to work even if
+ there is a problem with sudo.conf
+- drop sudo-dont-ignore-LDFLAGS.patch (merged upstream)
+
+-------------------------------------------------------------------
+Thu Mar 17 10:24:49 UTC 2011 - puzel@novell.com
+
+- update to sudo-1.8.0
+ * Sudo has been refactored to use a modular framework that can
+ support third-party policy and I/O logging plugins.
+ * Defaults settings that are tied to a user, host or command may
+ now include the negation operator. For example:
+ Defaults:!millert lecture
+ will match any user but millert.
+ * The default PATH environment variable, used when no PATH
+ variable exists, now includes /usr/sbin and /sbin.
+ * Support for logging I/O for the command being run.
+ * Sudo will now use the Linux audit system.
+ + See /usr/share/doc/packages/sudo/NEWS for full list
+- new configure script flags: enable-warnings, with-linux-audit,
+ docdir, with-sendmail
+- BuildRequires += audit-devel
+- BuildRequires -= postfix
+- PreReq += permissions
+- add sudo-dont-ignore-LDFLAGS.patch
+- drop sudo-1.7.1-defaults.diff (insults disabled in sudoers)
+- drop sudo-1.7.1-__P.diff (no more __P in sudo sources)
+- drop sudo-1.7.1-strip.diff (sudo no longer strips binaries)
+- drop sudo-CVE-2011-0010.patch (in upstream)
+- drop sudo-1.7.1-secure_path.diff (sudo now adds /sbin and
+ /usr/sbin to $PATH if it is empty)
+- drop sudo-1.7.1-pam_rhost.diff (fixed in upstream)
+- sudo-1.7.1-sudoers.diff renamed to sudo-sudoers.patch
+- sudo-1.7.1-env.diff renamed to sudoers2ldif-env.patch
+- do not package *.pod files
+- use %verifyscript
+- timestamp directory moved from /var/run/sudo to /var/lib/sudo
+- better commented default /etc/sudoers
+- packaged /etc/sudoers.d directory
+- new sudo-devel subpackage
+- cleaned specfile
+
+-------------------------------------------------------------------
+Thu Jan 27 09:18:05 UTC 2011 - cprause@novell.com
+
+- added openldap schema file (bnc#667558)
+
+-------------------------------------------------------------------
+Thu Jan 13 10:11:35 UTC 2011 - puzel@novell.com
+
+- add sudo-CVE-2011-0010.patch (bnc#663881)
+
+-------------------------------------------------------------------
+Mon Jun 28 06:38:35 UTC 2010 - jengelh@medozas.de
+
+- use %_smp_mflags
+
+-------------------------------------------------------------------
+Tue Jun 15 21:23:02 UTC 2010 - pascal.bleser@opensuse.org
+
+- update to 1.7.2p7:
+ * portability fixes
+
+- changes from 1.7.2p6:
+ * Handle duplicate variables in the environment
+ * visudo: fix a crash when checking a sudoers file that has aliases
+ that reference themselves
+ * aliases: fix use after free in error message when a duplicate
++++ 697 more lines (skipped)
++++ between /dev/null
++++ and /work/SRC/openSUSE:12.1:Update/.sudo.1396.new/sudo.changes
New:
----
README.SUSE
sudo-1.8.2-CVE-2012-0809.patch
sudo-1.8.2-CVE-2012-2337.patch
sudo-1.8.2-ldap_search_escape.patch
sudo-1.8.2-pam_session.patch
sudo-1.8.2-set_ldap_options.patch
sudo-1.8.2.tar.gz
sudo-1.8.6p3-CVE-2013-1775.patch
sudo-1.8.6p3-CVE-2013-1776.patch
sudo-grp-include.patch
sudo-sudoers.patch
sudo.changes
sudo.pamd
sudo.spec
sudoers2ldif-env.patch
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sudo.spec ++++++
#
# spec file for package sudo
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via http://bugs.opensuse.org/
#
Name: sudo
Version: 1.8.2
Release: 0
Summary: Execute some commands as root
License: BSD-3-Clause
Group: System/Base
Url: http://www.sudo.ws/
Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz
Source1: sudo.pamd
Source2: README.SUSE
Patch0: sudoers2ldif-env.patch
Patch1: sudo-sudoers.patch
Patch2: sudo-grp-include.patch
Patch3: sudo-1.8.2-ldap_search_escape.patch
Patch4: sudo-1.8.2-CVE-2012-0809.patch
# PATCH-FIX-UPSTREAM CVE-2012-2337 (bnc#762327)
Patch5: sudo-1.8.2-CVE-2012-2337.patch
# PATCH-FIX-UPSTREAM run pam_session_* in the same thread (bnc#751453)
Patch6: sudo-1.8.2-pam_session.patch
# PATCH-FIX-UPSTREAM set global ldap option before ldap init (bnc#760697)
Patch7: sudo-1.8.2-set_ldap_options.patch
Patch8: sudo-1.8.6p3-CVE-2013-1775.patch
Patch9: sudo-1.8.6p3-CVE-2013-1776.patch
BuildRequires: audit-devel
BuildRequires: libselinux-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
PreReq: coreutils
PreReq: permissions
BuildRoot: %{_tmppath}/%{name}-%{version}-build
%description
Sudo is a command that allows users to execute some commands as root.
The /etc/sudoers file (edited with 'visudo') specifies which users have
access to sudo and which commands they can run. Sudo logs all its
activities to syslogd, so the system administrator can keep an eye on
things. Sudo asks for the password for initializing a check period of a
given time N (where N is defined at installation and is set to 5
minutes by default).
%package devel
Summary: Header files needed for sudo plugin development
Group: Development/Libraries/C and C++
%description devel
These header files are needed for building of sudo plugins.
%prep
%setup -q
%patch0 -p1
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
%patch5 -p0
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%build
%ifarch s390 s390x %sparc
F_PIE=-fPIE
%else
F_PIE=-fpie
%endif
export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED"
export LDFLAGS="-pie"
%configure \
--libexecdir=%{_libexecdir}/sudo \
--docdir=%{_docdir}/%{name} \
--with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
--with-pam \
--with-ldap \
--with-selinux \
--with-linux-audit \
--with-logfac=auth \
--with-insults \
--with-all-insults \
--with-ignore-dot \
--with-tty-tickets \
--enable-shell-sets-home \
--enable-warnings \
--with-sendmail=%{_sbindir}/sendmail \
--with-sudoers-mode=0440 \
--with-env-editor \
--without-secure-path \
--with-passprompt='%%p\x27s password:'
make %{?_smp_mflags}
%install
%make_install
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sudo
mv %{buildroot}%{_docdir}/%{name}/sudoers2ldif %{buildroot}%{_sbindir}
rm -f %{buildroot}%{_bindir}/sudoedit
ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
install -m 644 doc/schema.OpenLDAP %{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema
install -m 644 %{SOURCE2} %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
rm -f %{buildroot}%{_libexecdir}/%{name}/sudoers.la
%find_lang %{name}
%find_lang sudoers
cat sudoers.lang >> %{name}.lang
%post
chmod 0440 %{_sysconfdir}/sudoers
%if 0%{?suse_version} <= 1130
%run_permissions
%else
%set_permissions /usr/bin/sudo
%endif
%verifyscript
%verify_permissions -e /usr/bin/sudo
%clean
rm -rf %{buildroot}
%files -f %{name}.lang
%defattr(-,root,root)
%doc %{_docdir}/%{name}
%doc %{_mandir}/man?/*
%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
%dir %{_sysconfdir}/sudoers.d
%config %{_sysconfdir}/pam.d/sudo
%attr(4755,root,root) %{_bindir}/sudo
%dir %{_sysconfdir}/openldap
%dir %{_sysconfdir}/openldap/schema
%attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema
%{_bindir}/sudoedit
%{_bindir}/sudoreplay
%{_sbindir}/visudo
%attr(0755,root,root) %{_sbindir}/sudoers2ldif
%{_libexecdir}/sudo
%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/sudo
%files devel
%defattr(-,root,root)
%{_includedir}/sudo_plugin.h
%changelog
++++++ README.SUSE ++++++
In the default (ie unconfigured) configuration sudo asks for root password.
This allows to use an ordinary user account for administration of a freshly
installed system. When configuring sudo, please make sure to delete the two
following lines:
Defaults targetpw # ask for the password of the target user i.e. root
%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
++++++ sudo-1.8.2-CVE-2012-0809.patch ++++++
Index: sudo-1.8.2/src/sudo.c
===================================================================
--- sudo-1.8.2.orig/src/sudo.c 2011-07-29 16:50:45.000000000 +0200
+++ sudo-1.8.2/src/sudo.c 2012-01-25 12:07:07.609611322 +0100
@@ -1206,15 +1206,15 @@
sudo_debug(int level, const char *fmt, ...)
{
va_list ap;
- char *fmt2;
+ char *buf;
if (level > debug_level)
return;
- /* Backet fmt with program name and a newline to make it a single write */
- easprintf(&fmt2, "%s: %s\n", getprogname(), fmt);
+ /* Bracket fmt with program name and a newline to make it a single write */
va_start(ap, fmt);
- vfprintf(stderr, fmt2, ap);
+ evasprintf(&buf, fmt, ap);
va_end(ap);
- efree(fmt2);
+ fprintf(stderr, "%s: %s\n", getprogname(), buf);
+ efree(buf);
}
++++++ sudo-1.8.2-CVE-2012-2337.patch ++++++
Index: plugins/sudoers/match.c
===================================================================
--- plugins/sudoers/match.c.orig 2011-05-23 20:06:14.000000000 +0200
+++ plugins/sudoers/match.c 2012-05-16 11:40:46.995676836 +0200
@@ -620,7 +620,7 @@ addr_matches_if(char *n)
for (ifp = interfaces; ifp != NULL; ifp = ifp->next) {
if (ifp->family != family)
continue;
- switch(family) {
+ switch (family) {
case AF_INET:
if (ifp->addr.ip4.s_addr == addr.ip4.s_addr ||
(ifp->addr.ip4.s_addr & ifp->netmask.ip4.s_addr)
@@ -638,6 +638,7 @@ addr_matches_if(char *n)
}
if (j == sizeof(addr.ip6.s6_addr))
return TRUE;
+ break;
#endif
}
}
@@ -700,6 +701,7 @@ addr_matches_if_netmask(char *n, char *m
case AF_INET:
if ((ifp->addr.ip4.s_addr & mask.ip4.s_addr) == addr.ip4.s_addr)
return TRUE;
+ break;
#ifdef HAVE_IN6_ADDR
case AF_INET6:
for (j = 0; j < sizeof(addr.ip6.s6_addr); j++) {
@@ -708,6 +710,7 @@ addr_matches_if_netmask(char *n, char *m
}
if (j == sizeof(addr.ip6.s6_addr))
return TRUE;
+ break;
#endif /* HAVE_IN6_ADDR */
}
}
++++++ sudo-1.8.2-ldap_search_escape.patch ++++++
--- sudo-1.8.3p1/plugins/sudoers/ldap.c.orig Fri Oct 21 09:01:25 2011
+++ sudo-1.8.3p1/plugins/sudoers/ldap.c Wed Dec 7 15:07:56 2011
@@ -972,6 +972,99 @@
}
/*
+ * Determine length of query value after escaping characters
+ * as per RFC 4515.
+ */
+static size_t
+sudo_ldap_value_len(const char *value)
+{
+ const char *s;
+ size_t len = 0;
+
+ for (s = value; *s != '\0'; s++) {
+ switch (*s) {
+ case '\\':
+ case '(':
+ case ')':
+ case '*':
+ len += 2;
+ break;
+ }
+ }
+ len += (size_t)(s - value);
+ return len;
+}
+
+/*
+ * Like strlcat() but escapes characters as per RFC 4515.
+ */
+static size_t
+sudo_ldap_value_cat(char *dst, const char *src, size_t size)
+{
+ char *d = dst;
+ const char *s = src;
+ size_t n = size;
+ size_t dlen;
+
+ /* Find the end of dst and adjust bytes left but don't go past end */
+ while (n-- != 0 && *d != '\0')
+ d++;
+ dlen = d - dst;
+ n = size - dlen;
+
+ if (n == 0)
+ return dlen + strlen(s);
+ while (*s != '\0') {
+ switch (*s) {
+ case '\\':
+ if (n < 3)
+ goto done;
+ *d++ = '\\';
+ *d++ = '5';
+ *d++ = 'c';
+ n -= 3;
+ break;
+ case '(':
+ if (n < 3)
+ goto done;
+ *d++ = '\\';
+ *d++ = '2';
+ *d++ = '8';
+ n -= 3;
+ break;
+ case ')':
+ if (n < 3)
+ goto done;
+ *d++ = '\\';
+ *d++ = '2';
+ *d++ = '9';
+ n -= 3;
+ break;
+ case '*':
+ if (n < 3)
+ goto done;
+ *d++ = '\\';
+ *d++ = '2';
+ *d++ = 'a';
+ n -= 3;
+ break;
+ default:
+ if (n < 1)
+ goto done;
+ *d++ = *s;
+ n--;
+ break;
+ }
+ s++;
+ }
+done:
+ *d = '\0';
+ while (*s != '\0')
+ s++;
+ return dlen + (s - src); /* count does not include NUL */
+}
+
+/*
* Builds up a filter to check against LDAP.
*/
static char *
@@ -988,17 +1081,17 @@
sz += strlen(ldap_conf.search_filter) + 3;
/* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */
- sz += 29 + strlen(pw->pw_name);
+ sz += 29 + sudo_ldap_value_len(pw->pw_name);
/* Add space for primary and supplementary groups */
if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) {
- sz += 12 + strlen(grp->gr_name);
+ sz += 12 + sudo_ldap_value_len(grp->gr_name);
}
if ((grlist = get_group_list(pw)) != NULL) {
for (i = 0; i < grlist->ngroups; i++) {
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
continue;
- sz += 12 + strlen(grlist->groups[i]);
+ sz += 12 + sudo_ldap_value_len(grlist->groups[i]);
}
}
@@ -1020,13 +1113,13 @@
/* Global OR + sudoUser=user_name filter */
(void) strlcat(buf, "(|(sudoUser=", sz);
- (void) strlcat(buf, pw->pw_name, sz);
+ (void) sudo_ldap_value_cat(buf, pw->pw_name, sz);
(void) strlcat(buf, ")", sz);
/* Append primary group */
if (grp != NULL) {
(void) strlcat(buf, "(sudoUser=%", sz);
- (void) strlcat(buf, grp->gr_name, sz);
+ (void) sudo_ldap_value_cat(buf, grp->gr_name, sz);
(void) strlcat(buf, ")", sz);
}
@@ -1036,7 +1129,7 @@
if (grp != NULL && strcasecmp(grlist->groups[i], grp->gr_name) == 0)
continue;
(void) strlcat(buf, "(sudoUser=%", sz);
- (void) strlcat(buf, grlist->groups[i], sz);
+ (void) sudo_ldap_value_cat(buf, grlist->groups[i], sz);
(void) strlcat(buf, ")", sz);
}
}
++++++ sudo-1.8.2-pam_session.patch ++++++
Index: sudo-1.8.2/doc/sudo_plugin.cat
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.cat 2011-08-17 15:54:18.000000000 +0200
+++ sudo-1.8.2/doc/sudo_plugin.cat 2012-06-01 16:01:07.704685471 +0200
@@ -585,11 +585,12 @@ DDEESSCCRRIIPPTTIIOONN
init_session
int (*init_session)(struct passwd *pwd);
- The init_session function is called when ssuuddoo sets up the execution
- environment for the command, immediately before the contents of the
- _c_o_m_m_a_n_d___i_n_f_o list are applied (before the uid changes). This can
- be used to do session setup that is not supported by _c_o_m_m_a_n_d___i_n_f_o,
- such as opening the PAM session.
+ The init_session function is called before ssuuddoo sets up the
+ execution environment for the command. It is run in the parent
+ ssuuddoo process and before any uid or gid changes. This can be used
+ to perform session setup that is not supported by _c_o_m_m_a_n_d___i_n_f_o,
+ such as opening the PAM session. The close function can be used to
+ tear down the session that was opened by init_session.
The _p_w_d argument points to a passwd struct for the user the command
will be run as if the uid the command will run as was found in the
Index: sudo-1.8.2/doc/sudo_plugin.man.in
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.man.in 2011-08-17 15:54:18.000000000 +0200
+++ sudo-1.8.2/doc/sudo_plugin.man.in 2012-06-01 16:01:07.705685470 +0200
@@ -756,11 +756,12 @@ support credential caching.
\& int (*init_session)(struct passwd *pwd);
.Ve
.Sp
-The \f(CW\*(C`init_session\*(C'\fR function is called when \fBsudo\fR sets up the
-execution environment for the command, immediately before the
-contents of the \fIcommand_info\fR list are applied (before the uid
-changes). This can be used to do session setup that is not supported
-by \fIcommand_info\fR, such as opening the \s-1PAM\s0 session.
+The \f(CW\*(C`init_session\*(C'\fR function is called before \fBsudo\fR sets up the
+execution environment for the command. It is run in the parent
+\&\fBsudo\fR process and before any uid or gid changes. This can be used
+to perform session setup that is not supported by \fIcommand_info\fR,
+such as opening the \s-1PAM\s0 session. The \f(CW\*(C`close\*(C'\fR function can be
+used to tear down the session that was opened by \f(CW\*(C`init_session\*(C'\fR.
.Sp
The \fIpwd\fR argument points to a passwd struct for the user the
command will be run as if the uid the command will run as was found
Index: sudo-1.8.2/doc/sudo_plugin.pod
===================================================================
--- sudo-1.8.2.orig/doc/sudo_plugin.pod 2011-03-18 15:25:11.000000000 +0100
+++ sudo-1.8.2/doc/sudo_plugin.pod 2012-06-01 16:01:07.705685470 +0200
@@ -698,11 +698,12 @@ support credential caching.
int (*init_session)(struct passwd *pwd);
-The C
participants (1)
-
root@hilbert.suse.de