Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at Thu Mar 24 09:42:32 CET 2011. -------- --- sudo/sudo.changes 2011-01-28 12:22:22.000000000 +0100 +++ /mounts/work_src_done/STABLE/sudo/sudo.changes 2011-03-21 12:56:21.000000000 +0100 @@ -1,0 +2,38 @@ +Thu Mar 17 10:24:49 UTC 2011 - puzel@novell.com + +- update to sudo-1.8.0 + * Sudo has been refactored to use a modular framework that can + support third-party policy and I/O logging plugins. + * Defaults settings that are tied to a user, host or command may + now include the negation operator. For example: + Defaults:!millert lecture + will match any user but millert. + * The default PATH environment variable, used when no PATH + variable exists, now includes /usr/sbin and /sbin. + * Support for logging I/O for the command being run. + * Sudo will now use the Linux audit system. + + See /usr/share/doc/packages/sudo/NEWS for full list +- new configure script flags: enable-warnings, with-linux-audit, + docdir, with-sendmail +- BuildRequires += audit-devel +- BuildRequires -= postfix +- PreReq += permissions +- add sudo-dont-ignore-LDFLAGS.patch +- drop sudo-1.7.1-defaults.diff (insults disabled in sudoers) +- drop sudo-1.7.1-__P.diff (no more __P in sudo sources) +- drop sudo-1.7.1-strip.diff (sudo no longer strips binaries) +- drop sudo-CVE-2011-0010.patch (in upstream) +- drop sudo-1.7.1-secure_path.diff (sudo now adds /sbin and + /usr/sbin to $PATH if it is empty) +- drop sudo-1.7.1-pam_rhost.diff (fixed in upstream) +- sudo-1.7.1-sudoers.diff renamed to sudo-sudoers.patch +- sudo-1.7.1-env.diff renamed to sudoers2ldif-env.patch +- do not package *.pod files +- use %verifyscript +- timestamp directory moved from /var/run/sudo to /var/lib/sudo +- better commented default /etc/sudoers +- packaged /etc/sudoers.d directory +- new sudo-devel subpackage +- cleaned specfile + +------------------------------------------------------------------- calling whatdependson for head-i586 Old: ---- sudo-1.7.1-__P.diff sudo-1.7.1-defaults.diff sudo-1.7.1-env.diff sudo-1.7.1-pam_rhost.diff sudo-1.7.1-secure_path.diff sudo-1.7.1-strip.diff sudo-1.7.1-sudoers.diff sudo-1.7.2p7.tar.gz sudo-CVE-2011-0010.patch New: ---- sudo-1.8.0.tar.bz2 sudo-dont-ignore-LDFLAGS.patch sudo-sudoers.patch sudoers2ldif-env.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.8N9sGK/_old 2011-03-24 09:37:31.000000000 +0100 +++ /var/tmp/diff_new_pack.8N9sGK/_new 2011-03-24 09:37:31.000000000 +0100 @@ -15,30 +15,27 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild Name: sudo -BuildRequires: openldap2-devel pam-devel postfix -BuildRequires: libselinux-devel -PreReq: coreutils -Version: 1.7.2p7 -Release: 5 -Group: System/Base +Version: 1.8.0 +Release: 1 License: BSD3c(or similar) -Url: http://www.sudo.ws/ Summary: Execute some commands as root -Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz -Source1: %{name}.pamd +Url: http://www.sudo.ws/ +Group: System/Base +Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.bz2 +Source1: sudo.pamd Source2: README.SUSE -Patch1: %{name}-1.7.1-defaults.diff -Patch2: %{name}-1.7.1-sudoers.diff -Patch3: %{name}-1.7.1-__P.diff -Patch4: %{name}-1.7.1-strip.diff -Patch5: %{name}-1.7.1-secure_path.diff -Patch6: %{name}-1.7.1-env.diff -Patch7: %{name}-1.7.1-pam_rhost.diff -Patch8: sudo-CVE-2011-0010.patch +Patch1: sudoers2ldif-env.patch +Patch2: sudo-dont-ignore-LDFLAGS.patch +Patch3: sudo-sudoers.patch +BuildRequires: audit-devel +BuildRequires: libselinux-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +PreReq: coreutils +PreReq: permissions BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -50,25 +47,19 @@ given time N (where N is defined at installation and is set to 5 minutes by default). +%package devel +License: BSD3c(or similar) +Summary: Header files needed for sudo plugin development +Group: Development/Libraries/C and C++ - -Authors: --------- - Jeff Nieusma <nieusma@rootgroup.com> - David Hieb <davehieb@rootgroup.com> - Ian McCloghrie <ian@ucsd.edu> +%description devel +These header files are needed for building of sudo plugins. %prep %setup -q -%patch1 -%patch2 -%patch3 -%patch4 -%patch5 -%patch6 -%patch7 -%patch8 -p1 -cp %{SOURCE2} . +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %ifarch s390 s390x %sparc @@ -76,56 +67,79 @@ %else F_PIE=-fpie %endif -export CFLAGS="$RPM_OPT_FLAGS -Wall $F_PIE -DLDAP_DEPRECATED" +export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED" export LDFLAGS="-pie" %configure \ --libexecdir=%{_libexecdir}/sudo \ + --docdir=%{_docdir}/%{name} \ --with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \ + --with-pam \ + --with-ldap \ --with-selinux \ + --with-linux-audit \ --with-logfac=auth \ --with-insults \ --with-all-insults \ --with-ignore-dot \ --with-tty-tickets \ --enable-shell-sets-home \ + --enable-warnings \ + --with-sendmail=%{_sbindir}/sendmail \ --with-sudoers-mode=0440 \ - --with-pam \ - --with-ldap \ --with-env-editor \ --without-secure-path \ --with-passprompt='%%p\x27s password:' make %{?_smp_mflags} %install -make DESTDIR=$RPM_BUILD_ROOT install -install -d -m 700 $RPM_BUILD_ROOT%{_localstatedir}/run/sudo -install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/pam.d -install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/sudo -install -m 755 sudoers2ldif $RPM_BUILD_ROOT%{_sbindir}/sudoers2ldif -rm -f $RPM_BUILD_ROOT%{_bindir}/sudoedit -ln -sf %{_bindir}/sudo $RPM_BUILD_ROOT%{_bindir}/sudoedit -install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema -install -m 644 schema.OpenLDAP $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/sudo.schema +%make_install +install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d +install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sudo +mv %{buildroot}%{_docdir}/%{name}/sudoers2ldif %{buildroot}%{_sbindir} +rm -f %{buildroot}%{_bindir}/sudoedit +ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit +install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema +install -m 644 doc/schema.OpenLDAP %{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema +install -m 644 %{SOURCE2} %{buildroot}%{_docdir}/%{name}/ +rm -f %{buildroot}%{_docdir}/%{name}/sample.pam +rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf +rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP +rm -f %{buildroot}%{_libexecdir}/%{name}/sudoers.la %post chmod 0440 %{_sysconfdir}/sudoers +%if 0%{?suse_version} <= 1130 +%run_permissions +%else +%set_permissions /usr/bin/sudo +%endif + +%verifyscript +%verify_permissions -e /usr/bin/sudo %clean -rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} %files %defattr(-,root,root) -%doc HISTORY LICENSE PORTING README README.LDAP README.SUSE TROUBLESHOOTING UPGRADE WHATSNEW *.pod +%doc %{_docdir}/%{name} %doc %{_mandir}/man?/* %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers +%dir %{_sysconfdir}/sudoers.d %config %{_sysconfdir}/pam.d/sudo %attr(4755,root,root) %{_bindir}/sudo %dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap/schema %attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema %{_bindir}/sudoedit -%{_sbindir}/* +%{_bindir}/sudoreplay +%{_sbindir}/visudo +%attr(0755,root,root) %{_sbindir}/sudoers2ldif %{_libexecdir}/sudo -%{_localstatedir}/run/sudo +%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/sudo + +%files devel +%defattr(-,root,root) +%{_includedir}/sudo_plugin.h %changelog ++++++ sudo-1.7.2p7.tar.gz -> sudo-1.8.0.tar.bz2 ++++++ ++++ 249323 lines of diff (skipped) ++++++ sudo-dont-ignore-LDFLAGS.patch ++++++ Index: sudo-1.8.0/plugins/sudoers/Makefile.in =================================================================== --- sudo-1.8.0.orig/plugins/sudoers/Makefile.in +++ sudo-1.8.0/plugins/sudoers/Makefile.in @@ -55,7 +55,7 @@ CPPFLAGS = -I$(incdir) -I$(top_builddir) CFLAGS = @CFLAGS@ # Flags to pass to the link stage -LDFLAGS = +LDFLAGS = @LDFLAGS@ SUDOERS_LDFLAGS = @SUDOERS_LDFLAGS@ # Where to install things... ++++++ sudo-sudoers.patch ++++++ Index: sudo-1.8.0/plugins/sudoers/sudoers.in =================================================================== --- sudo-1.8.0.orig/plugins/sudoers/sudoers.in +++ sudo-1.8.0/plugins/sudoers/sudoers.in @@ -31,37 +31,36 @@ ## ## Defaults specification ## -## You may wish to keep some of the following environment variables -## when running commands via sudo. -## -## Locale settings -# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" -## -## Run X applications through sudo; HOME is used to find the -## .Xauthority file. Note that other programs use HOME to find -## configuration files and this may lead to privilege escalation! -# Defaults env_keep += "HOME" -## -## X11 resource path settings -# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" -## -## Desktop path settings -# Defaults env_keep += "QTDIR KDEDIR" -## -## Allow sudo-run commands to inherit the callers' ConsoleKit session -# Defaults env_keep += "XDG_SESSION_COOKIE" -## -## Uncomment to enable special input methods. Care should be taken as -## this may allow users to subvert the command being run via sudo. -# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home +Defaults env_reset +## Change env_reset to !env_reset in previous line to keep all environment variables +## Following list will no longer be necessary after this change + +Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +## Comment out the preceding line and uncomment the following one if you need +## to use special input methods. This may allow users to compromise the root +## account if they are allowed to run commands without authentication. +#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" + +## Do not insult users when they enter an incorrect password. +Defaults !insults + ## ## Uncomment to enable logging of a command's output, except for ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!/sbin/reboot !log_output +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +Defaults targetpw # ask for the password of the target user i.e. root +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + ## ## Runas alias specification ## @@ -77,14 +76,6 @@ root ALL=(ALL) ALL ## Same thing without a password # %wheel ALL=(ALL) NOPASSWD: ALL -## Uncomment to allow members of group sudo to execute any command -# %sudo ALL=(ALL) ALL - -## Uncomment to allow any user to run sudo if they know the password -## of the user they are running the command as (root by default). -# Defaults targetpw # Ask for the password of the target user -# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' - ## Read drop-in files from @sysconfdir@/sudoers.d ## (the '#' here does not indicate a comment) #includedir @sysconfdir@/sudoers.d ++++++ sudoers2ldif-env.patch ++++++ Index: sudo-1.8.0/plugins/sudoers/sudoers2ldif =================================================================== --- sudo-1.8.0.orig/plugins/sudoers/sudoers2ldif +++ sudo-1.8.0/plugins/sudoers/sudoers2ldif @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl use strict; # ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit+help@opensuse.org