Message ID | 20220405134816.2929511-1-adolf.belka@ipfire.org |
---|---|
State | Accepted |
Commit | e367031b383dc4d737403386f55585af4333bfa4 |
Headers |
Return-Path: <development-bounces@lists.ipfire.org> Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by web04.haj.ipfire.org (Postfix) with ESMTPS id 4KXprR4FxCz3x1Y for <patchwork@web04.haj.ipfire.org>; Tue, 5 Apr 2022 13:48:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (mail02.haj.ipfire.org [172.28.1.201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail02.haj.ipfire.org", Issuer "R3" (verified OK)) by mail01.ipfire.org (Postfix) with ESMTPS id 4KXprR0qhXz4S6; Tue, 5 Apr 2022 13:48:23 +0000 (UTC) Received: from mail02.haj.ipfire.org (localhost [127.0.0.1]) by mail02.haj.ipfire.org (Postfix) with ESMTP id 4KXprR0Y7Qz2yT5; Tue, 5 Apr 2022 13:48:23 +0000 (UTC) Received: from mail01.ipfire.org (mail01.haj.ipfire.org [172.28.1.202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) client-signature ECDSA (P-384)) (Client CN "mail01.haj.ipfire.org", Issuer "R3" (verified OK)) by mail02.haj.ipfire.org (Postfix) with ESMTPS id 4KXprP56jZz2yLH for <development@lists.ipfire.org>; Tue, 5 Apr 2022 13:48:21 +0000 (UTC) Received: from [127.0.0.1] (localhost [127.0.0.1]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by mail01.ipfire.org (Postfix) with ESMTPSA id 4KXprP3XxpzWn; Tue, 5 Apr 2022 13:48:21 +0000 (UTC) DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003ed25519; t=1649166501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nGptoABAxfqf47UNIrxhPFWsPTcLyLZveF4JgaGdR60=; b=r42/0dAkg0k5WEHRk2OTLAV8OkW2YCvryilILaBUKNk7dh0Ge3wnNPjoWI4wjD54v28kBm MtUto+M/IME2VxCQ== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipfire.org; s=202003rsa; t=1649166501; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding; bh=nGptoABAxfqf47UNIrxhPFWsPTcLyLZveF4JgaGdR60=; b=O9qOjxw8p68Kq2bRK1Mp1drd03h84/lGmoq01KGYffXAjw/nsbRrwavDBEFD2KIQesR7+A COn54pNg3y29eihvnja8AiuJJoVFf2Aant+b2C8abwuUK4Mq2TtcrMTl4X4/tu4awbSJHj IKjUcOBTrqlDDvFU3oOwIIqRhCSDc8YHwqzDQ0NkrQm5PV/yKBxZ1PSb7ZGLsFJzXmJEQo P8XFtdBTXiRcee/2Rv8aBbhsIewProY1uLkee/9FBw1AK89bjMWAwByiX14Ss/U5y4bTGH w1iXTdzeuz4C53TJvoYkomLOrGOZZKAJNZZp3iry1dDErRIzDKFjse8KQCFIfw== From: Adolf Belka <adolf.belka@ipfire.org> To: development@lists.ipfire.org Subject: [PATCH] sudo: Update to version 1.9.10 Date: Tue, 5 Apr 2022 15:48:16 +0200 Message-Id: <20220405134816.2929511-1-adolf.belka@ipfire.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-BeenThere: development@lists.ipfire.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: IPFire development talk <development.lists.ipfire.org> List-Unsubscribe: <https://lists.ipfire.org/mailman/options/development>, <mailto:development-request@lists.ipfire.org?subject=unsubscribe> List-Archive: <http://lists.ipfire.org/pipermail/development/> List-Post: <mailto:development@lists.ipfire.org> List-Help: <mailto:development-request@lists.ipfire.org?subject=help> List-Subscribe: <https://lists.ipfire.org/mailman/listinfo/development>, <mailto:development-request@lists.ipfire.org?subject=subscribe> Errors-To: development-bounces@lists.ipfire.org Sender: "Development" <development-bounces@lists.ipfire.org> |
Series |
sudo: Update to version 1.9.10
|
|
Commit Message
Adolf Belka
April 5, 2022, 1:48 p.m. UTC
- Update from 1.9.9 to 1.9.10
- Update of rootfile not required
- Changelog
What's new in Sudo 1.9.10
* Added new "log_passwords" and "passprompt_regex" sudoers options.
If "log_passwords" is disabled, sudo will attempt to prevent passwords
from being logged. If sudo detects any of the regular expressions in
the "passprompt_regex" list in the terminal output, sudo will log '*'
characters instead of the terminal input until a newline or carriage
return is found in the input or an output character is received.
* Added new "log_passwords" and "passprompt_regex" settings to
sudo_logsrvd that operate like the sudoers options when logging
terminal input.
* Fixed several few bugs in the cvtsudoers utility when merging
multiple sudoers sources.
* Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf
file, where the "retry_interval" in the [relay] section was not
being recognized.
* Restored the pre-1.9.9 behavior of not performing authentication
when sudo's -n option is specified. A new "noninteractive_auth"
sudoers option has been added to enable PAM authentication in
non-interactive mode. GitHub issue #131.
* On systems with /proc, if the /proc/self/stat (Linux) or
/proc/pid/psinfo (other systems) file is missing or invalid,
sudo will now check file descriptors 0-2 to determine the user's
terminal. Bug #1020.
* Fixed a compilation problem on Debian kFreeBSD. Bug #1021.
* Fixed a crash in sudo_logsrvd when running in relay mode if
an alert message is received.
* Fixed an issue that resulting in "problem with defaults entries"
email to be sent if a user ran sudo when the sudoers entry in
the nsswitch.conf file includes "sss" but no sudo provider is
configured in /etc/sssd/sssd.conf. Bug #1022.
* Updated the warning displayed when the invoking user is not
allowed to run sudo. If sudo has been configured to send mail
on failed attempts (see the mail_* flags in sudoers), it will
now print "This incident has been reported to the administrator."
If the "mailto" or "mailerpath" sudoers settings are disabled,
the message will not be printed and no mail will be sent.
GitHub issue #48.
* Fixed a bug where the user-specified command timeout was not
being honored if the sudoers rule did not also specify a timeout.
* Added support for using POSIX extended regular expressions in
sudoers rules. A command and/or arguments in sudoers are treated
as a regular expression if they start with a '^' character and
end with a '$'. The command and arguments are matched separately,
either one (or both) may be a regular expression.
Bug #578, GitHub issue #15.
* A user may now only run "sudo -U otheruser -l" if they have a
"sudo ALL" privilege where the RunAs user contains either "root"
or "otheruser". Previously, having "sudo ALL" was sufficient,
regardless of the RunAs user. GitHub issue #134.
* The sudo lecture is now displayed immediately before the password
prompt. As a result, sudo will no longer display the lecture
unless the user needs to enter a password. Authentication methods
that don't interact with the user via a terminal do not trigger
the lecture.
* Sudo now uses its own closefrom() emulation on Linux systems.
The glibc version may not work in a chroot jail where /proc is
not available. If close_range(2) is present, it will be used
in preference to /proc/self/fd.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
---
lfs/sudo | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
Comments
Reviewed-by: Peter Müller <peter.mueller@ipfire.org> > - Update from 1.9.9 to 1.9.10 > - Update of rootfile not required > - Changelog > What's new in Sudo 1.9.10 > * Added new "log_passwords" and "passprompt_regex" sudoers options. > If "log_passwords" is disabled, sudo will attempt to prevent passwords > from being logged. If sudo detects any of the regular expressions in > the "passprompt_regex" list in the terminal output, sudo will log '*' > characters instead of the terminal input until a newline or carriage > return is found in the input or an output character is received. > * Added new "log_passwords" and "passprompt_regex" settings to > sudo_logsrvd that operate like the sudoers options when logging > terminal input. > * Fixed several few bugs in the cvtsudoers utility when merging > multiple sudoers sources. > * Fixed a bug in sudo_logsrvd when parsing the sudo_logsrvd.conf > file, where the "retry_interval" in the [relay] section was not > being recognized. > * Restored the pre-1.9.9 behavior of not performing authentication > when sudo's -n option is specified. A new "noninteractive_auth" > sudoers option has been added to enable PAM authentication in > non-interactive mode. GitHub issue #131. > * On systems with /proc, if the /proc/self/stat (Linux) or > /proc/pid/psinfo (other systems) file is missing or invalid, > sudo will now check file descriptors 0-2 to determine the user's > terminal. Bug #1020. > * Fixed a compilation problem on Debian kFreeBSD. Bug #1021. > * Fixed a crash in sudo_logsrvd when running in relay mode if > an alert message is received. > * Fixed an issue that resulting in "problem with defaults entries" > email to be sent if a user ran sudo when the sudoers entry in > the nsswitch.conf file includes "sss" but no sudo provider is > configured in /etc/sssd/sssd.conf. Bug #1022. > * Updated the warning displayed when the invoking user is not > allowed to run sudo. If sudo has been configured to send mail > on failed attempts (see the mail_* flags in sudoers), it will > now print "This incident has been reported to the administrator." > If the "mailto" or "mailerpath" sudoers settings are disabled, > the message will not be printed and no mail will be sent. > GitHub issue #48. > * Fixed a bug where the user-specified command timeout was not > being honored if the sudoers rule did not also specify a timeout. > * Added support for using POSIX extended regular expressions in > sudoers rules. A command and/or arguments in sudoers are treated > as a regular expression if they start with a '^' character and > end with a '$'. The command and arguments are matched separately, > either one (or both) may be a regular expression. > Bug #578, GitHub issue #15. > * A user may now only run "sudo -U otheruser -l" if they have a > "sudo ALL" privilege where the RunAs user contains either "root" > or "otheruser". Previously, having "sudo ALL" was sufficient, > regardless of the RunAs user. GitHub issue #134. > * The sudo lecture is now displayed immediately before the password > prompt. As a result, sudo will no longer display the lecture > unless the user needs to enter a password. Authentication methods > that don't interact with the user via a terminal do not trigger > the lecture. > * Sudo now uses its own closefrom() emulation on Linux systems. > The glibc version may not work in a chroot jail where /proc is > not available. If close_range(2) is present, it will be used > in preference to /proc/self/fd. > > Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> > --- > lfs/sudo | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/lfs/sudo b/lfs/sudo > index 6c18892b4..4d73db639 100644 > --- a/lfs/sudo > +++ b/lfs/sudo > @@ -24,7 +24,7 @@ > > include Config > > -VER = 1.9.9 > +VER = 1.9.10 > > THISAPP = sudo-$(VER) > DL_FILE = $(THISAPP).tar.gz > @@ -40,7 +40,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_BLAKE2 = 1a661a24e9891c705ca1ff0ff0881be30888ac850d18478031379de6cfa10a581ee4b256fda7d8882e17c661bcaa03b1055ab0e525dc75a2b1feec2ca13283c8 > +$(DL_FILE)_BLAKE2 = 94d97379e31b41917616a829cbece3d3fce7dd6ab9d04791b928981c14249c306508298655c19dc59a054ccf7deed4e69e65367cbfe9f6d8b5aba8895cfa6064 > > install : $(TARGET) >
diff --git a/lfs/sudo b/lfs/sudo index 6c18892b4..4d73db639 100644 --- a/lfs/sudo +++ b/lfs/sudo @@ -24,7 +24,7 @@ include Config -VER = 1.9.9 +VER = 1.9.10 THISAPP = sudo-$(VER) DL_FILE = $(THISAPP).tar.gz @@ -40,7 +40,7 @@ objects = $(DL_FILE) $(DL_FILE) = $(DL_FROM)/$(DL_FILE) -$(DL_FILE)_BLAKE2 = 1a661a24e9891c705ca1ff0ff0881be30888ac850d18478031379de6cfa10a581ee4b256fda7d8882e17c661bcaa03b1055ab0e525dc75a2b1feec2ca13283c8 +$(DL_FILE)_BLAKE2 = 94d97379e31b41917616a829cbece3d3fce7dd6ab9d04791b928981c14249c306508298655c19dc59a054ccf7deed4e69e65367cbfe9f6d8b5aba8895cfa6064 install : $(TARGET)