From patchwork Sat Feb 5 20:33:43 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Adolf Belka X-Patchwork-Id: 5089 Return-Path: Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4JrkdY4tQmz3wsl for ; Sat, 5 Feb 2022 20:33:53 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4JrkdX6Q6qz3hl; Sat, 5 Feb 2022 20:33:52 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4JrkdW6HPZz2yWX; Sat, 5 Feb 2022 20:33:51 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4JrkdV3YYYz2xW7 for ; Sat, 5 Feb 2022 20:33:50 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4JrkdV188KzYR; Sat, 5 Feb 2022 20:33:50 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1644093230; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=D/tEBU43FQk1dRhNKVWlLZ5ulyA8q9j63FUz8h6N6kg=; b=JHPhwajLXMOXxmd2qxtWs65+r22/Qx7fEKVF6rKNgvB/ISnQ3dI1Jcrh9EPyVvx5hvjQbZ IIAXCgwAcWUQQvDQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1644093230; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=D/tEBU43FQk1dRhNKVWlLZ5ulyA8q9j63FUz8h6N6kg=; b=g1EUAQLDcc/YL2skLtgf0aQM7LRFOYIg5whmzxASZMTYb+sf7fLVd+4mlBwlz1J7ENj9Ix eVqHIICw1qdjnSR+q83A7V8RX8FagWBAGroIXxgb2a1OHTLk7SPvyLbC0p/GIHsEnge9+s xKVfijB6QKUah/w5HArw4skYhGg2w4rTP2xtkrjeVEmLQ+4Rd+5uVw9z3/XkvV8p95Wehm EE6Yb9f15aLMp8zM4RaqV3J8Xds70bRDXjfPWgf2I3TWNmdeypohLg0mv6F89leB28SBBJ ecCOoejnnuhbnfN1bzMOHVGiiL6fzh+ZxZ+MhpAIww4sFj1xL1LwrCbQZhl6lw== From: Adolf Belka To: development@lists.ipfire.org Subject: [PATCH] sudo: Update to version 1.9.9 Date: Sat, 5 Feb 2022 21:33:43 +0100 Message-Id: <20220205203343.1998470-1-adolf.belka@ipfire.org> MIME-Version: 1.0 X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: development-bounces@lists.ipfire.org Sender: "Development" - Update from 1.9.8p2 to 1.9.9 - Update of rootfile - Changelog What's new in Sudo 1.9.9 * Sudo can now be built with OpenSSL 3.0 without generating warnings about deprecated OpenSSL APIs. * A digest can now be specified along with the "ALL" command in the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for this in the sudoers file but did not include corresponding changes for the other back-ends. * visudo now only warns about an undefined alias or a cycle in an alias once for each alias. * The sudoRole cn was truncated by a single character in warning messages. GitHub issue #115. * The cvtsudoers utility has new --group-file and --passwd-file options to use a custom passwd or group file when the --match-local option is also used. * The cvtsudoers utility can now filter or match based on a command. * The cvtsudoers utility can now produce output in csv (comma-separated value) format. This can be used to help generate entitlement reports. * Fixed a bug in sudo_logsrvd that could result in the connection being dropped for very long command lines. * Fixed a bug where sudo_logsrvd would not accept a restore point of zero. * Fixed a bug in visudo where the value of the "editor" setting was not used if it did not match the user's EDITOR environment variable. This was only a problem if the "env_editor" setting was not enabled. Bug #1000. * Sudo now builds with the -fcf-protection compiler option and the "-z now" linker option if supported. * The output of "sudoreplay -l" now more closely matches the traditional sudo log format. * The sudo_sendlog utility will now use the full contents of the log.json file, if present. This makes it possible to send sudo-format I/O logs that use the newer log.json format to sudo_logsrvd without losing any information. * Fixed compilation of the arc4random_buf() replacement on systems with arc4random() but no arc4random_buf(). Bug #1008. * Sudo now uses its own getentropy() by default on Linux. The GNU libc version of getentropy() will fail on older kernels that don't support the getrandom() system call. * It is now possible to build sudo with WolfSSL's OpenSSL compatibility layer by using the --enable-wolfssl configure option. * Fixed a bug related to Daylight Saving Time when parsing timestamps in Generalized Time format. This affected the NOTBEFORE and NOTAFTER options in sudoers. Bug #1006 * Added the -O and -P options to visudo, which can be used to check or set the owner and permissions. This can be used in conjunction with the -c option to check that the sudoers file ownership and permissions are correct. Bug #1007. * It is now possible to set resource limits in the sudoers file itself. The special values "default" and "user" refer to the default system limit and invoking user limit respectively. The core dump size limit is now set to 0 by default unless overridden by the sudoers file. * The cvtsudoers utility can now merge multiple sudoers sources into a single, combined sudoers file. If there are conflicting entries, cvtsudoers will attempt to resolve them but manual intervention may be required. The merging of sudoers rules is currently fairly simplistic but will be improved in a future release. * Sudo was parsing but not applying the "deref" and "tls_reqcert" ldap.conf settings. This meant the options were effectively ignored which broke dereferencing of aliases in LDAP. Bug #1013. * Clarified in the sudo man page that the security policy may override the user's PATH environment variable. Bug #1014. * When sudo is run in non-interactive mode (with the -n option), it will now attempt PAM authentication and only exit with an error if user interaction is required. This allows PAM modules that don't interact with the user to succeed. Previously, sudo would not attempt authentication if the -n option was specified. Bug #956 and GitHub issue #83. * Fixed a regression introduced in version 1.9.1 when sudo is built with the --with-fqdn configure option. The local host name was being resolved before the sudoers file was processed, making it impossible to disable DNS lookups by negating the "fqdn" sudoers option. Bug #1016. * Added support for negated sudoUser attributes in the LDAP and SSSD sudoers back ends. A matching sudoUser that is negated will cause the sudoRole containing it to be ignored. * Fixed a bug where the stack resource limit could be set to a value smaller than that of the invoking user and not be reset before the command was run. Bug #1017. Signed-off-by: Adolf Belka Reviewed-by: Peter Müller --- config/rootfiles/common/sudo | 17 +++++++++++------ lfs/sudo | 4 ++-- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/config/rootfiles/common/sudo b/config/rootfiles/common/sudo index 80e83efa4..1cb0d2bf7 100644 --- a/config/rootfiles/common/sudo +++ b/config/rootfiles/common/sudo @@ -30,15 +30,18 @@ usr/lib/sudo/system_group.so #usr/sbin/sudo_sendlog usr/sbin/visudo #usr/share/doc/sudo -#usr/share/doc/sudo/CONTRIBUTORS +#usr/share/doc/sudo/CONTRIBUTING.md +#usr/share/doc/sudo/CONTRIBUTORS.md #usr/share/doc/sudo/ChangeLog -#usr/share/doc/sudo/HISTORY -#usr/share/doc/sudo/LICENSE +#usr/share/doc/sudo/HISTORY.md +#usr/share/doc/sudo/LICENSE.md #usr/share/doc/sudo/NEWS -#usr/share/doc/sudo/README -#usr/share/doc/sudo/TROUBLESHOOTING -#usr/share/doc/sudo/UPGRADE +#usr/share/doc/sudo/README.md +#usr/share/doc/sudo/SECURITY.md +#usr/share/doc/sudo/TROUBLESHOOTING.md +#usr/share/doc/sudo/UPGRADE.md #usr/share/doc/sudo/examples +#usr/share/doc/sudo/examples/cvtsudoers.conf #usr/share/doc/sudo/examples/pam.conf #usr/share/doc/sudo/examples/sudo.conf #usr/share/doc/sudo/examples/sudo_logsrvd.conf @@ -58,8 +61,10 @@ usr/sbin/visudo #usr/share/locale/eo/LC_MESSAGES/sudo.mo #usr/share/locale/eo/LC_MESSAGES/sudoers.mo #usr/share/locale/es/LC_MESSAGES/sudo.mo +#usr/share/locale/es/LC_MESSAGES/sudoers.mo #usr/share/locale/eu/LC_MESSAGES/sudo.mo #usr/share/locale/eu/LC_MESSAGES/sudoers.mo +#usr/share/locale/fa/LC_MESSAGES/sudo.mo #usr/share/locale/fi/LC_MESSAGES/sudo.mo #usr/share/locale/fi/LC_MESSAGES/sudoers.mo #usr/share/locale/fr/LC_MESSAGES/sudo.mo diff --git a/lfs/sudo b/lfs/sudo index bec0f6021..8fc6879de 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@ include Config -VER = 1.9.8p2 +VER = 1.9.9 THISAPP = sudo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_MD5 = f831c1d62835cde89c261465d9c781e4 +$(DL_FILE)_MD5 = f112d8ee214ef46ac6398196958ee383 install : $(TARGET)