diff options
| -rw-r--r-- | package/sudo/sudo.mk | 15 | ||||
| -rw-r--r-- | package/sudo/sudo_1.6.8p12-1ubuntu6.patch (renamed from package/sudo/sudo_1.6.8p9-2ubuntu2.3.patch) | 1169 | ||||
| -rw-r--r-- | package/sudo/sudo_1.6.8p12-2-no-cxx-configcheck.patch | 22 |
3 files changed, 1070 insertions, 136 deletions
diff --git a/package/sudo/sudo.mk b/package/sudo/sudo.mk index bf7ce4655..26216512d 100644 --- a/package/sudo/sudo.mk +++ b/package/sudo/sudo.mk @@ -4,7 +4,7 @@ # ############################################################# -SUDO_VER:=1.6.8p9 +SUDO_VER:=1.6.8p12 SUDO_SOURCE:=sudo-$(SUDO_VER).tar.gz SUDO_SITE:=http://www.courtesan.com/sudo/dist SUDO_DIR:=$(BUILD_DIR)/sudo-$(SUDO_VER) @@ -24,6 +24,7 @@ $(SUDO_DIR)/.configured: $(SUDO_DIR)/.unpacked $(SUDO_CONFIG_FILE) (cd $(SUDO_DIR); rm -rf config.cache; \ $(TARGET_CONFIGURE_OPTS) \ ./configure \ + CFLAGS="$(TARGET_CFLAGS)" \ --target=$(GNU_TARGET_NAME) \ --host=$(GNU_TARGET_NAME) \ --build=$(GNU_HOST_NAME) \ @@ -54,15 +55,17 @@ $(SUDO_DIR)/sudo: $(SUDO_DIR)/.configured touch -c $(SUDO_DIR)/sudo $(TARGET_DIR)/usr/bin/sudo: $(SUDO_DIR)/sudo - # Use fakeroot to pretend to do 'make install' as root - echo "$(MAKE) $(TARGET_CONFIGURE_OPTS) DESTDIR="$(TARGET_DIR)" -C $(SUDO_DIR) install" \ - > $(STAGING_DIR)/.fakeroot.sudo + $(INSTALL) -m 4555 -D $(SUDO_DIR)/sudo $(TARGET_DIR)/usr/bin/sudo + $(INSTALL) -m 0555 -D $(SUDO_DIR)/visudo $(TARGET_DIR)/usr/sbin/visudo + $(INSTALL) -m 0440 -D $(SUDO_DIR)/sudoers $(TARGET_DIR)/etc/sudoers + $(STRIP) $(TARGET_DIR)/usr/bin/sudo $(TARGET_DIR)/usr/sbin/visudo touch -c $(TARGET_DIR)/usr/bin/sudo -sudo: uclibc host-fakeroot $(TARGET_DIR)/usr/bin/sudo +sudo: uclibc $(TARGET_DIR)/usr/bin/sudo sudo-clean: - rm -f $(TARGET_DIR)/usr/bin/sudo + rm -f $(TARGET_DIR)/usr/bin/sudo $(TARGET_DIR)/etc/sudoers \ + $(TARGET_DIR)/usr/sbin/visudo -$(MAKE) -C $(SUDO_DIR) clean sudo-dirclean: diff --git a/package/sudo/sudo_1.6.8p9-2ubuntu2.3.patch b/package/sudo/sudo_1.6.8p12-1ubuntu6.patch index fde3ed749..a370bd06c 100644 --- a/package/sudo/sudo_1.6.8p9-2ubuntu2.3.patch +++ b/package/sudo/sudo_1.6.8p12-1ubuntu6.patch @@ -1,5 +1,5 @@ ---- sudo-1.6.8p9.orig/sudoers.man.in -+++ sudo-1.6.8p9/sudoers.man.in +--- sudo-1.6.8p12.orig/sudoers.man.in ++++ sudo-1.6.8p12/sudoers.man.in @@ -759,7 +759,7 @@ .IP "exempt_group" 12 .IX Item "exempt_group" @@ -9,8 +9,8 @@ .IP "verifypw" 12 .IX Item "verifypw" This option controls when a password will be required when a user runs ---- sudo-1.6.8p9.orig/sudo.man.in -+++ sudo-1.6.8p9/sudo.man.in +--- sudo-1.6.8p12.orig/sudo.man.in ++++ sudo-1.6.8p12/sudo.man.in @@ -185,8 +185,7 @@ \&\fBsudo\fR determines who is an authorized user by consulting the file \&\fI@sysconfdir@/sudoers\fR. By giving \fBsudo\fR the \fB\-v\fR flag a user @@ -21,8 +21,59 @@ \&\fIsudoers\fR). .PP If a user who is not listed in the \fIsudoers\fR file tries to run a ---- sudo-1.6.8p9.orig/env.c -+++ sudo-1.6.8p9/env.c +--- sudo-1.6.8p12.orig/parse.yacc ++++ sudo-1.6.8p12/parse.yacc +@@ -120,6 +120,7 @@ + } \ + match[top].user = UNSPEC; \ + match[top].cmnd = UNSPEC; \ ++ match[top].cmndall= UNSPEC; \ + match[top].host = UNSPEC; \ + match[top].runas = UNSPEC; \ + match[top].nopass = def_authenticate ? UNSPEC : TRUE; \ +@@ -135,6 +136,7 @@ + } \ + match[top].user = match[top-1].user; \ + match[top].cmnd = match[top-1].cmnd; \ ++ match[top].cmndall= match[top-1].cmndall; \ + match[top].host = match[top-1].host; \ + match[top].runas = match[top-1].runas; \ + match[top].nopass = match[top-1].nopass; \ +@@ -675,6 +677,7 @@ + } + } + ++ SETMATCH(cmnd_all, TRUE); + $$ = TRUE; + } + | ALIAS { +@@ -705,6 +708,7 @@ + $$ = NOMATCH; + } + free($1); ++ SETMATCH(cmnd_all, FALSE); + } + | COMMAND { + if (printmatches == TRUE) { +@@ -730,6 +734,7 @@ + free($1.cmnd); + if ($1.args) + free($1.args); ++ SETMATCH(cmnd_all, FALSE); + } + ; + +--- sudo-1.6.8p12.orig/env.c ++++ sudo-1.6.8p12/env.c +@@ -77,7 +77,7 @@ + /* + * Prototypes + */ +-char **rebuild_env __P((char **, int, int)); ++char **rebuild_env __P((char **, int, int, int)); + char **zero_env __P((char **)); + static void insert_env __P((char *, int)); + static char *format_env __P((char *, ...)); @@ -89,6 +89,8 @@ static const char *initial_badenv_table[] = { "IFS", @@ -32,32 +83,90 @@ "LOCALDOMAIN", "RES_OPTIONS", "HOSTALIASES", -@@ -124,6 +126,23 @@ - "TERMCAP", /* XXX - only if it starts with '/' */ - "ENV", - "BASH_ENV", -+ "GLOBIGNORE", /* bash, globbing patterns to ignore */ -+ "JAVA_TOOL_OPTIONS", /* java, extra command line options */ -+ "PERLIO_DEBUG ", /* perl, debugging output file */ -+ "PERLLIB", /* perl, search path for modules/includes */ -+ "PERL5LIB", /* perl 5, search path for modules/includes */ -+ "PERL5OPT", /* perl 5, extra command line options */ -+ "PERL5DB", /* perl 5, command used to load debugger */ -+ "FPATH", /* ksh, search path for functions */ -+ "NULLCMD", /* zsh, command for null file redirection */ -+ "READNULLCMD", /* zsh, command for null file redirection */ -+ "ZDOTDIR", /* zsh, search path for dot files */ -+ "TMPPREFIX", /* zsh, prefix for temporary files */ -+ "PYTHONHOME", /* python, module search path */ -+ "PYTHONPATH", /* python, search path */ -+ "PYTHONINSPECT", /* python, allow inspection */ -+ "RUBYLIB", /* ruby, library load path */ -+ "RUBYOPT", /* ruby, extra command line options */ +@@ -140,6 +142,12 @@ + "LC_*", + "LANG", + "LANGUAGE", ++ "TERM", ++ "HOME", ++ "LOGNAME", ++ "DISPLAY", ++ "XAUTHORITY", ++ "XAUTHORIZATION", NULL }; ---- sudo-1.6.8p9.orig/sudoers.pod -+++ sudo-1.6.8p9/sudoers.pod +@@ -321,10 +329,11 @@ + * Also adds sudo-specific variables (SUDO_*). + */ + char ** +-rebuild_env(envp, sudo_mode, noexec) ++rebuild_env(envp, sudo_mode, noexec, noclean) + char **envp; + int sudo_mode; + int noexec; ++ int noclean; + { + char **ep, *cp, *ps1; + int okvar, iswild, didvar; +@@ -429,7 +438,7 @@ + * env_check. + */ + for (ep = envp; *ep; ep++) { +- okvar = 1; ++ okvar = noclean; + + /* Skip variables with values beginning with () (bash functions) */ + if ((cp = strchr(*ep, '=')) != NULL) { +@@ -438,6 +447,7 @@ + } + + /* Skip anything listed in env_delete. */ ++#if 0 + for (cur = def_env_delete; cur && okvar; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ +@@ -451,9 +461,10 @@ + okvar = 0; + } + } ++#endif + + /* Check certain variables for '%' and '/' characters. */ +- for (cur = def_env_check; cur && okvar; cur = cur->next) { ++ for (cur = def_env_check; cur; cur = cur->next) { + len = strlen(cur->value); + /* Deal with '*' wildcard */ + if (cur->value[len - 1] == '*') { +@@ -463,8 +474,24 @@ + iswild = 0; + if (strncmp(cur->value, *ep, len) == 0 && + (iswild || (*ep)[len] == '=') && +- strpbrk(*ep, "/%")) { +- okvar = 0; ++ strpbrk(*ep, "/%") == NULL) { ++ okvar = 1; ++ } ++ } ++ ++ /* keep variables in env_keep */ ++ for (cur = def_env_keep; cur; cur = cur->next) { ++ len = strlen(cur->value); ++ /* Deal with '*' wildcard */ ++ if (cur->value[len - 1] == '*') { ++ len--; ++ iswild = 1; ++ } else ++ iswild = 0; ++ if (strncmp(cur->value, *ep, len) == 0 && ++ (iswild || (*ep)[len] == '=')) { ++ okvar = 1; ++ break; + } + } + +--- sudo-1.6.8p12.orig/sudoers.pod ++++ sudo-1.6.8p12/sudoers.pod @@ -93,7 +93,7 @@ Cmnd_Alias ::= NAME '=' Cmnd_List @@ -67,6 +176,15 @@ Each I<alias> definition is of the form +@@ -568,7 +568,7 @@ + + =item C<%%> + +-two consecutive C<%> characters are collaped into a single C<%> character ++two consecutive C<%> characters are collapsed into a single C<%> character + + =back + @@ -669,8 +669,8 @@ =item exempt_group @@ -78,8 +196,19 @@ =item verifypw ---- sudo-1.6.8p9.orig/config.guess -+++ sudo-1.6.8p9/config.guess +--- sudo-1.6.8p12.orig/ins_classic.h ++++ sudo-1.6.8p12/ins_classic.h +@@ -32,7 +32,7 @@ + "Where did you learn to type?", + "Are you on drugs?", + "My pet ferret can type better than you!", +- "You type like i drive.", ++ "You type like I drive.", + "Do you think like you type?", + "Your mind just hasn't been the same since the electro-shock, has it?", + +--- sudo-1.6.8p12.orig/config.guess ++++ sudo-1.6.8p12/config.guess @@ -1,11 +1,9 @@ #! /bin/sh # Attempt to guess a canonical system name. @@ -1407,8 +1536,8 @@ If the version you run ($0) is already up to date, please send the following data and any information you think might be ---- sudo-1.6.8p9.orig/config.sub -+++ sudo-1.6.8p9/config.sub +--- sudo-1.6.8p12.orig/config.sub ++++ sudo-1.6.8p12/config.sub @@ -1,11 +1,9 @@ #! /bin/sh # Configuration validation subroutine script. @@ -1987,9 +2116,18 @@ # Local variables: # eval: (add-hook 'write-file-hooks 'time-stamp) ---- sudo-1.6.8p9.orig/sudoers -+++ sudo-1.6.8p9/sudoers -@@ -5,6 +5,8 @@ +--- sudo-1.6.8p12.orig/sudoers ++++ sudo-1.6.8p12/sudoers +@@ -1,10 +1,17 @@ + # sudoers file. + # + # This file MUST be edited with the 'visudo' command as root. ++# 'visudo' edits the suoders file in a safe fashion. visudo ++# locks the sudoers file against multiple simultaneous edits, ++# provides basic sanity checks, and checks for syntax errors. If ++# the sudoers file is currently being edited you will receive a ++# message to try again later. + # # See the sudoers man page for the details on how to write a sudoers file. # @@ -1998,8 +2136,8 @@ # Host alias specification # User alias specification ---- sudo-1.6.8p9.orig/debian/dirs -+++ sudo-1.6.8p9/debian/dirs +--- sudo-1.6.8p12.orig/debian/dirs ++++ sudo-1.6.8p12/debian/dirs @@ -0,0 +1,7 @@ +etc/pam.d +usr/bin @@ -2008,26 +2146,113 @@ +usr/sbin +usr/share/doc/sudo/examples +usr/share/lintian/overrides ---- sudo-1.6.8p9.orig/debian/control -+++ sudo-1.6.8p9/debian/control -@@ -0,0 +1,15 @@ +--- sudo-1.6.8p12.orig/debian/docs ++++ sudo-1.6.8p12/debian/docs +@@ -0,0 +1,9 @@ ++debian/OPTIONS ++BUGS ++RUNSON ++UPGRADE ++PORTING ++TODO ++HISTORY ++README ++TROUBLESHOOTING +--- sudo-1.6.8p12.orig/debian/sudo-ldap.init.d ++++ sudo-1.6.8p12/debian/sudo-ldap.init.d +@@ -0,0 +1,31 @@ ++#! /bin/sh ++ ++### BEGIN INIT INFO ++# Provides: sudu ++# Required-Start: $local_fs $remote_fs ++# Required-Stop: ++# Default-Start: S 1 2 3 4 5 ++# Default-Stop: 0 6 ++### END INIT INFO ++ ++N=/etc/init.d/sudo ++ ++set -e ++ ++case "$1" in ++ start) ++ # make sure privileges don't persist across reboots ++ if [ -d /var/run/sudo ] ++ then ++ find /var/run/sudo -type f -exec touch -t 198501010000 '{}' \; ++ fi ++ ;; ++ stop|reload|restart|force-reload) ++ ;; ++ *) ++ echo "Usage: $N {start|stop|restart|force-reload}" >&2 ++ exit 1 ++ ;; ++esac ++ ++exit 0 +--- sudo-1.6.8p12.orig/debian/control ++++ sudo-1.6.8p12/debian/control +@@ -0,0 +1,32 @@ +Source: sudo +Section: admin +Priority: optional +Maintainer: Bdale Garbee <bdale@gag.com> -+Build-Depends: debhelper (>= 2.1.6), libpam0g-dev -+Standards-Version: 3.6.1.0 ++Build-Depends: debhelper (>= 5), libpam0g-dev, libldap2-dev ++Standards-Version: 3.6.2.1 + +Package: sudo +Architecture: any +Depends: ${shlibs:Depends}, libpam-modules ++Conflicts: sudo-ldap ++Replaces: sudo-ldap +Description: Provide limited super user privileges to specific users + Sudo is a program designed to allow a sysadmin to give limited root + privileges to users and log root activity. The basic philosophy is to give + as few privileges as possible but still allow people to get their work done. ++ . ++ This version is built with minimal shared library dependencies, use the ++ sudo-ldap package instead if you need LDAP support. ++ ++Package: sudo-ldap ++Architecture: any ++Depends: ${shlibs:Depends}, libpam-modules ++Conflicts: sudo ++Replaces: sudo ++Provides: sudo ++Description: Provide limited super user privileges to specific users ++ Sudo is a program designed to allow a sysadmin to give limited root ++ privileges to users and log root activity. The basic philosophy is to give ++ as few privileges as possible but still allow people to get their work done. ++ . ++ This version is built with LDAP support. +--- sudo-1.6.8p12.orig/debian/sudo-ldap.postrm ++++ sudo-1.6.8p12/debian/sudo-ldap.postrm +@@ -0,0 +1,21 @@ ++#! /bin/sh ++ ++set -e ++ ++case "$1" in ++ purge) ++ rm -f /etc/sudoers ++ ;; ++ ++ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ++ ;; + ---- sudo-1.6.8p9.orig/debian/prerm -+++ sudo-1.6.8p9/debian/prerm ++ *) ++ echo "postrm called with unknown argument \`$1'" >&2 ++ exit 1 ++ ++esac ++ ++#DEBHELPER# ++ ++exit 0 +--- sudo-1.6.8p12.orig/debian/prerm ++++ sudo-1.6.8p12/debian/prerm @@ -0,0 +1,37 @@ +#!/bin/sh + @@ -2066,28 +2291,26 @@ + *) + ;; +esac ---- sudo-1.6.8p9.orig/debian/rules -+++ sudo-1.6.8p9/debian/rules -@@ -0,0 +1,98 @@ +--- sudo-1.6.8p12.orig/debian/rules ++++ sudo-1.6.8p12/debian/rules +@@ -0,0 +1,140 @@ +#!/usr/bin/make -f + -+# Comment this to turn off verbose mode. +export DH_VERBOSE=1 + -+# This is the debhelper compatibility version to use. -+export DH_COMPAT=2 -+ +CFLAGS = -O2 -Wall -Wno-comment +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) +CFLAGS += -g +endif +export CFLAGS + -+build: build-stamp -+build-stamp: ++build: config-stamp ++config-stamp: + dh_testdir + -+ ./configure --prefix=/usr -v \ ++ # simple version ++ mkdir -p build-simple ++ cd build-simple && ../configure --prefix=/usr -v \ + --with-all-insults \ + --with-exempt=sudo --with-pam --with-fqdn \ + --with-logging=syslog --with-logfac=authpriv \ @@ -2098,16 +2321,36 @@ + --without-lecture \ + --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin" + -+ -$(MAKE) ++ # LDAP version ++ mkdir -p build-ldap ++ cd build-ldap && ../configure --prefix=/usr -v \ ++ --with-all-insults \ ++ --with-exempt=sudo --with-pam --with-ldap --with-fqdn \ ++ --with-logging=syslog --with-logfac=authpriv \ ++ --with-env-editor --with-editor=/usr/bin/editor \ ++ --with-timeout=15 --with-password-timeout=0 \ ++ --disable-root-mailer --disable-setresuid \ ++ --with-sendmail=/usr/sbin/sendmail \ ++ --with-ldap-conf-file=/etc/ldap/ldap.conf \ ++ --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin" ++ ++ touch config-stamp ++ ++build: build-stamp ++build-stamp: config-stamp ++ dh_testdir ++ ++ -$(MAKE) -C build-simple ++ -$(MAKE) -C build-ldap + + touch build-stamp + +clean: + dh_testdir + dh_testroot -+ rm -f build-stamp -+ -+ -$(MAKE) distclean || exit 0 ++ rm -f config-stamp build-stamp ++ rm -rf build-simple build-ldap ++ rm -f config.cache + + -test -r /usr/share/misc/config.sub && \ + cp -f /usr/share/misc/config.sub config.sub @@ -2116,20 +2359,23 @@ + + dh_clean + -+install: build ++install: build-stamp + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + -+ install -o root -g root -m 4755 -s sudo debian/sudo/usr/bin/sudo ++ # simple version ++ install -o root -g root -m 4755 -s build-simple/sudo debian/sudo/usr/bin/sudo + ln -sf sudo debian/sudo/usr/bin/sudoedit -+ install -o root -g root -m 0755 -s visudo debian/sudo/usr/sbin/visudo -+ install -o root -g root -m 0644 sudo.man \ ++ install -o root -g root -m 0755 -s build-simple/visudo \ ++ debian/sudo/usr/sbin/visudo ++ install -o root -g root -m 0644 build-simple/sudo.man \ + debian/sudo/usr/share/man/man8/sudo.8 -+ install -o root -g root -m 0644 visudo.man \ ++ ln -sf sudo.8 debian/sudo/usr/share/man/man8/sudoedit.8 ++ install -o root -g root -m 0644 build-simple/visudo.man \ + debian/sudo/usr/share/man/man8/visudo.8 -+ install -o root -g root -m 0644 sudoers.man \ ++ install -o root -g root -m 0644 build-simple/sudoers.man \ + debian/sudo/usr/share/man/man5/sudoers.5 + install -o root -g root -m 0644 sample.sudoers \ + debian/sudo/usr/share/doc/sudo/examples/sudoers @@ -2139,26 +2385,47 @@ + install -o root -g root -m 0644 debian/sudo.lintian \ + debian/sudo/usr/share/lintian/overrides/sudo + ++ install -o root -g root -m 0644 debian/sudo_root.8 \ ++ debian/sudo/usr/share/man/man8/sudo_root.8 ++ ++ # LDAP version ++ install -o root -g root -m 4755 -s build-ldap/sudo debian/sudo-ldap/usr/bin/sudo ++ ln -sf sudo debian/sudo-ldap/usr/bin/sudoedit ++ install -o root -g root -m 0755 -s build-ldap/visudo debian/sudo-ldap/usr/sbin/visudo ++ install -o root -g root -m 0644 build-ldap/sudo.man \ ++ debian/sudo-ldap/usr/share/man/man8/sudo.8 ++ ln -sf sudo.8 debian/sudo-ldap/usr/share/man/man8/sudoedit.8 ++ install -o root -g root -m 0644 build-ldap/visudo.man \ ++ debian/sudo-ldap/usr/share/man/man8/visudo.8 ++ install -o root -g root -m 0644 build-ldap/sudoers.man \ ++ debian/sudo-ldap/usr/share/man/man5/sudoers.5 ++ install -o root -g root -m 0644 sample.sudoers \ ++ debian/sudo-ldap/usr/share/doc/sudo-ldap/examples/sudoers ++ install -o root -g root -m 0644 debian/sudo.pam \ ++ debian/sudo-ldap/etc/pam.d/sudo ++ ++ install -o root -g root -m 0644 debian/sudo-ldap.lintian \ ++ debian/sudo-ldap/usr/share/lintian/overrides/sudo-ldap ++ ++ install -o root -g root -m 0644 debian/sudo_root.8 \ ++ debian/sudo/usr/share/man/man8/sudo_root.8 ++ +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot -+ dh_installdocs debian/OPTIONS BUGS RUNSON UPGRADE PORTING \ -+ TODO HISTORY README TROUBLESHOOTING -+ dh_installexamples -+ dh_installmenu -+ dh_installinit -+ dh_installcron ++ dh_installdocs ++ dh_installexamples -A ++# dh_installinit -psudo -psudo-ldap + dh_installmanpages fnmatch.3 -+ dh_installinfo ++ dh_installinfo -A + dh_installchangelogs CHANGES -+ dh_link + dh_strip + dh_compress + dh_fixperms -+ chown root.root debian/sudo/usr/bin/sudo -+ chmod 4755 debian/sudo/usr/bin/sudo ++ chown root.root debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo ++ chmod 4755 debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo + dh_installdeb + dh_shlibdeps + dh_gencontrol @@ -2167,39 +2434,151 @@ + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install ---- sudo-1.6.8p9.orig/debian/conffiles -+++ sudo-1.6.8p9/debian/conffiles -@@ -0,0 +1,2 @@ -+/etc/init.d/sudo -+/etc/pam.d/sudo ---- sudo-1.6.8p9.orig/debian/changelog -+++ sudo-1.6.8p9/debian/changelog -@@ -0,0 +1,652 @@ -+sudo (1.6.8p9-2ubuntu2.3) breezy-security; urgency=low +--- sudo-1.6.8p12.orig/debian/changelog ++++ sudo-1.6.8p12/debian/changelog +@@ -0,0 +1,769 @@ ++sudo (1.6.8p12-1ubuntu6) dapper; urgency=low ++ ++ * env.c: Preserve additional environment variables for non-almighty sudoers: ++ HOME, LOGNAME, DISPLAY, XAUTHORITY, XAUTHORIZATION. Closes: LP#44500 ++ ++ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 17 May 2006 09:29:15 +0200 ++ ++sudo (1.6.8p12-1ubuntu5) dapper; urgency=low + -+ * env.c: Fix typo: PYTHONINSPEC -> PYTHONINSPECT. ++ * env.c: Unbreak the env_keep option. Closes: LP#31690 ++ * sudoers: Add some explanatory text why it is a REALLY good idea to use ++ visudo. Closes: LP#11620 + -+ -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 9 Jan 2006 11:20:12 +0100 ++ -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 28 Mar 2006 18:52:24 +0200 + -+sudo (1.6.8p9-2ubuntu2.2) breezy-security; urgency=low ++sudo (1.6.8p12-1ubuntu4) dapper; urgency=low + -+ * SECURITY UPDATE: Privilege escalation. -+ * env.c: Filter out a whole lot of additional env variables that can lead to -+ privilege escalation: GLOBIGNORE, JAVA_TOOL_OPTIONS, PERLIO_DEBUG, -+ PERLLIB, PERL5LIB, PERL5OPT, PERL5DB, FPATH, NULLCMD, READNULLCMD, -+ ZDOTDIR, TMPPREFIX, PYTHONHOME, PYTHONPATH, PYTHONINSPEC, RUBYLIB, -+ RUBYOPT. List taken from Mandriva's security update. -+ * CVE-2005-4158 ++ * Remove the init script, it only cleans up /var/run which is a tmpfs. + -+ -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 5 Jan 2006 15:25:45 +0000 ++ -- Scott James Remnant <scott@ubuntu.com> Wed, 22 Feb 2006 16:28:42 +0000 + -+sudo (1.6.8p9-2ubuntu2.1) breezy-security; urgency=low ++sudo (1.6.8p12-1ubuntu3) dapper; urgency=low + -+ * SECURITY UPDATE: Potential privilege escalation. -+ * env.c: Filter out the SHELLOPTS and PS4 variables. -+ * CVE-2005-2959 ++ * Add debian/sudo_root.8: Introduction about root handling in ubuntu with ++ sudo. ++ * debian/rules: Install that new manpage into sudo and sudo-ldap. + -+ -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 28 Oct 2005 14:46:19 -0400 ++ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 8 Feb 2006 17:01:50 +0100 ++ ++sudo (1.6.8p12-1ubuntu2) dapper; urgency=low ++ ++ * sudo.c: If the user successfully authenticated and he is in the 'admin' ++ group, then create a stamp ~/.sudo_as_admin_successful. A future ++ /etc/profile will evaluate this flag to display a short help about how to ++ execute things as root. ++ ++ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 18 Jan 2006 09:32:02 +0100 ++ ++sudo (1.6.8p12-1ubuntu1) dapper; urgency=low ++ ++ * Resynchronise with Debian, clean up cruft from Ubuntu diff. ++ * debian/postinst: Do not set env_reset flag in newly created sudoers files; ++ it's incompatible with upgrades. ++ * Clean up environment variable handling to fix vulns like CVE-2005-4158 and ++ CVE-2006-0151 once and for all: Only keep known-good variables if user has ++ limited sudo privileges (blacklist -> whitelist) and keep them all for ++ users with unlimited command privileges (to not drive admins and ++ developers up the wall which actually need to pass env variables from time ++ to time). ++ - parse.h, parse.yacc: ++ + Add a new flag 'cmdall' to the matchstack, and a new macro 'cmnd_all' ++ to access it. ++ + In the "cmnd" grammar rule: Set cmdall to TRUE if command specifier is ++ 'ALL', otherwise to FALSE. ++ - sudo.tab.cc: Re-yaccified to match changes to parse.yacc. ++ - sudo.h: Add new sudoers_lookup() return flag FLAG_CMND_ALL. ++ - parse.c, sudoers_lookup(): Set flag FLAG_CMND_ALL if cmnd_all matched. ++ - ldap.c: ++ + sudo_ldap_check_command(): Add return parameter all, set to true ++ if command specifier is 'ALL'. ++ + sudo_ldap_check(): Set flag FLAG_CMND_ALL if sudo_ldap_check_command() ++ returned all=1. ++ - env.c: ++ + Apply Martin Schulze's patch to switch from blacklist to whitelist ++ environment cleaning. ++ + Add parameter 'noclean' to rebuild_env(); if it is != 0, environment ++ variables are not cleaned. ++ - sudo.c: Call rebuild_env() with noclean=1 if FLAG_CMND_ALL is set. ++ ++ -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 17 Jan 2006 10:03:05 +0100 ++ ++sudo (1.6.8p12-1) unstable; urgency=low ++ ++ * new upstream version, closes: #342948 (CVE-2005-4158) ++ * add env_reset to the sudoers file we create if none already exists, ++ as a further precaution in response to discussion about CVS-2005-4158 ++ * split ldap support into a new sudo-ldap package. I was trying to avoid ++ doing this, but the impact of going from 4 to 17 linked shlibs on the ++ autobuilder chroots is sufficient motivation for me. ++ closes: #344034 ++ ++ -- Bdale Garbee <bdale@gag.com> Wed, 28 Dec 2005 13:49:10 -0700 ++ ++sudo (1.6.8p9-4) unstable; urgency=low ++ ++ * enable ldap support, deliver README.LDAP and sudoers2ldif, closes: #283231 ++ * merge patch from Martin Pitt / Ubuntu to be more robust about resetting ++ timestamps in the init.d script, closes: #330868 ++ * add dependency header to init.d script, closes: #332849 ++ ++ -- Bdale Garbee <bdale@gag.com> Sat, 10 Dec 2005 07:47:07 -0800 ++ ++sudo (1.6.8p9-3ubuntu4) dapper; urgency=low ++ ++ * Revert addition of sudo -t, i. e. revert to version 1.6.8p9-3ubuntu1. As ++ per TB discussion, we will not use sudo for implementing ++ https://wiki.ubuntu.com/HideAdminToolsToUsers. ++ ++ -- Martin Pitt <martin.pitt@ubuntu.com> Tue, 29 Nov 2005 23:27:42 +0100 ++ ++sudo (1.6.8p9-3ubuntu3) dapper; urgency=low ++ ++ * sudo.c: Log failures even in test mode, to avoid the possibility of ++ silently poking around for interesting sudo privileges. This will generate ++ a lot of auth log clutter in the desktop case, but will not change sudo ++ semantics where it matters (on servers). ++ ++ -- Martin Pitt <martin.pitt@ubuntu.com> Thu, 17 Nov 2005 10:35:04 +0100 ++ ++sudo (1.6.8p9-3ubuntu2) dapper; urgency=low ++ ++ * Add option -t which only tests whether the given command can be executed ++ and does not require a password. This is required for the ++ https://wiki.ubuntu.com/HideAdminToolsToUsers spec. ++ * sudo.h: Add MODE_TESTONLY mode. ++ * sudo.c: Add -t parsing and do not actually run the command in test mode, ++ just return success or failure. Also, add the new option to the "usage" ++ output. ++ * sudo.pod: Document new -t option. ++ * Put patch into debian/ubuntu-patches/sudo.add-test-option.patch to have ++ it separate for future merges (requires a manual "make sudo.man.in" to ++ actually run pod2man). ++ ++ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 9 Nov 2005 17:40:43 -0500 ++ ++sudo (1.6.8p9-3ubuntu1) dapper; urgency=low ++ ++ * Resynchronise with Debian. ++ ++ -- Martin Pitt <martin.pitt@ubuntu.com> Wed, 9 Nov 2005 17:12:06 -0500 ++ ++sudo (1.6.8p9-3) unstable; urgency=high ++ ++ * update debhelper compatibility level from 2 to 4 ++ * add man page symlink for sudoedit ++ * Clean SHELLOPTS and PS4 from the environment before executing programs ++ with sudo permissions [env.c, CAN-2005-2959] ++ * fix typo in manpage pointed out by Moray Allen, closes: #285995 ++ * fix paths in sample complex sudoers file, closes: #303542 ++ * fix type in sudoers man page, closes: #311244 ++ ++ -- Bdale Garbee <bdale@gag.com> Wed, 28 Sep 2005 01:18:04 -0600 + +sudo (1.6.8p9-2ubuntu2) breezy; urgency=low + @@ -2827,14 +3206,217 @@ + + * New upstream version + * Minor changes to debian.rules ---- sudo-1.6.8p9.orig/debian/sudo.lintian -+++ sudo-1.6.8p9/debian/sudo.lintian +--- sudo-1.6.8p12.orig/debian/sudo_root.8 ++++ sudo-1.6.8p12/debian/sudo_root.8 +@@ -0,0 +1,135 @@ ++.TH sudo_root 8 "February 8, 2006" ++ ++.SH NAME ++sudo_root \- How to run administrative commands ++ ++.SH SYNOPSIS ++ ++.B sudo ++.I command ++ ++.B sudo \-i ++ ++.SH INTRODUCTION ++ ++By default, the password for the user "root" (the system ++administrator) is locked. This means you cannot login as root or use ++su. Instead, the installer will set up sudo to allow the user that is ++created during install to run all administrative commands. ++ ++This means that in the terminal you can use sudo for commands that ++require root privileges. All programs in the menu will use a graphical ++sudo to prompt for a password. When sudo asks for a password, it needs ++.B your password, ++this means that a root password is not needed. ++ ++To run a command which requires root privileges in a terminal, simply ++prepend ++.B sudo ++in front of it. To get an interactive root shell, use ++.B sudo \-i\fR. ++ ++.SH ALLOWING OTHER USERS TO RUN SUDO ++ ++By default, only the user who installed the system is permitted to run ++sudo. To add more administrators, i. e. users who can run sudo, you ++have to add these users to the group 'admin' by doing one of the ++following steps: ++ ++.IP * 2 ++In a shell, do ++ ++.RS 4 ++.B sudo adduser ++.I username ++.B admin ++.RE ++ ++.IP * 2 ++Use the graphical "Users & Groups" program in the "System settings" ++menu to add the new user to the ++.B admin ++group. ++ ++.SH BENEFITS OF USING SUDO ++ ++The benefits of leaving root disabled by default include the following: ++ ++.IP * 2 ++Users do not have to remember an extra password, which they are likely to forget. ++.IP * 2 ++The installer is able to ask fewer questions. ++.IP * 2 ++It avoids the "I can do anything" interactive login by default \- you ++will be prompted for a password before major changes can happen, which ++should make you think about the consequences of what you are doing. ++.IP * 2 ++Sudo adds a log entry of the command(s) run (in \fB/var/log/auth.log\fR). ++.IP * 2 ++Every attacker trying to brute\-force their way into your box will ++know it has an account named root and will try that first. What they ++do not know is what the usernames of your other users are. ++.IP * 2 ++Allows easy transfer for admin rights, in a short term or long term ++period, by adding and removing users from the admin group, while not ++compromising the root account. ++.IP * 2 ++sudo can be set up with a much more fine\-grained security policy. ++ ++.SH DOWNSIDES OF USING SUDO ++ ++Although for desktops the benefits of using sudo are great, there are ++possible issues which need to be noted: ++ ++.IP * 2 ++Redirecting the output of commands run with sudo can be confusing at ++first. For instance consider ++ ++.RS 4 ++.B sudo ls > /root/somefile ++.RE ++ ++.RS 2 ++will not work since it is the shell that tries to write to that file. You can use ++.RE ++ ++.RS 4 ++.B ls | sudo tee /root/somefile ++.RE ++ ++.RS 2 ++to get the behaviour you want. ++.RE ++ ++.IP * 2 ++In a lot of office environments the ONLY local user on a system is ++root. All other users are imported using NSS techniques such as ++nss\-ldap. To setup a workstation, or fix it, in the case of a network ++failure where nss\-ldap is broken, root is required. This tends to ++leave the system unusable. An extra local user, or an enabled root ++password is needed here. ++ ++.SH GOING BACK TO A TRADITIONAL ROOT ACCOUNT ++ ++.B This is not recommended! ++ ++To enable the root account (i.e. set a password) use: ++ ++.RS 4 ++.B sudo passwd root ++.RE ++ ++Afterwards, edit ++.B /etc/sudoers ++and comment out the line ++ ++.RS 4 ++%admin ALL=(ALL) ALL ++.RE ++ ++to disable sudo access to members of the admin group. ++ ++.SH SEE ALSO ++.BR sudo (8), ++.B https://wiki.ubuntu.com/RootSudo ++ +--- sudo-1.6.8p12.orig/debian/sudo-ldap.postinst ++++ sudo-1.6.8p12/debian/sudo-ldap.postinst +@@ -0,0 +1,62 @@ ++#!/usr/bin/perl ++ ++# remove old link ++ ++unlink ("/etc/alternatives/sudo") if ( -l "/etc/alternatives/sudo"); ++ ++# make sure we have a sudoers file ++if ( ! -f "/etc/sudoers") { ++ ++ print "No /etc/sudoers found... creating one for you.\n"; ++ ++ open (SUDOERS, "> /etc/sudoers"); ++ print SUDOERS "# /etc/sudoers\n", ++ "#\n", ++ "# This file MUST be edited with the 'visudo' command as root.\n", ++ "#\n", ++ "# See the man page for details on how to write a sudoers file.\n", ++ "#\n\nDefaults\tenv_reset\n\n", ++ "# Host alias specification\n\n", ++ "# User alias specification\n\n", ++ "# Cmnd alias specification\n\n", ++ "# User privilege specification\nroot\tALL=(ALL) ALL\n"; ++ close SUDOERS; ++ ++} ++ ++# make sure sudoers has the correct permissions and owner/group ++system ('chown root:root /etc/sudoers'); ++system ('chmod 440 /etc/sudoers'); ++ ++# must do a remove first to un-do the "bad" links created by previous version ++system ('update-rc.d -f sudo remove >/dev/null 2>&1'); ++ ++#system ('update-rc.d sudo start 75 S . >/dev/null'); ++ ++# make sure we have a sudo group ++ ++exit 0 if getgrnam("sudo"); # we're finished if there is a group sudo ++ ++$gid = 27; # start searcg with gid 27 ++setgrent; ++while (getgrgid($gid)) { ++ ++$gid; ++} ++endgrent; ++ ++if ($gid != 27) { ++ print "On Debian we normally use gid 27 for 'sudo'.\n"; ++ $gname = getgrgid(27); ++ print "However, on your system gid 27 is group '$gname'.\n\n"; ++ print "Would you like me to stop configuring sudo so that you can change this? [n] "; ++ $ans = <STDIN>; ++ if ($ans =~ m/^[yY].*/) { ++ print "'dpkg --pending --configure' will restart the configuration.\n\n\n"; ++ exit 1; ++ } ++} ++ ++print "Creating group 'sudo' with gid = $gid\n"; ++system("groupadd -g $gid sudo"); ++ ++print ""; +--- sudo-1.6.8p12.orig/debian/sudo.lintian ++++ sudo-1.6.8p12/debian/sudo.lintian @@ -0,0 +1,3 @@ +sudo: setuid-binary usr/bin/sudo 4755 root/root +sudo: postrm-contains-additional-updaterc.d-calls /etc/init.d/sudo +sudo: script-in-etc-init.d-not-registered-via-update-rc.d /etc/init.d/sudo ---- sudo-1.6.8p9.orig/debian/postinst -+++ sudo-1.6.8p9/debian/postinst +--- sudo-1.6.8p12.orig/debian/postinst ++++ sudo-1.6.8p12/debian/postinst @@ -0,0 +1,62 @@ +#!/usr/bin/perl + @@ -2853,7 +3435,7 @@ + "# This file MUST be edited with the 'visudo' command as root.\n", + "#\n", + "# See the man page for details on how to write a sudoers file.\n", -+ "#\n\n# Host alias specification\n\n", ++ "# Host alias specification\n\n", + "# User alias specification\n\n", + "# Cmnd alias specification\n\n", + "# Defaults\n\nDefaults\t!lecture,tty_tickets,!fqdn\n\n", @@ -2869,7 +3451,7 @@ +# must do a remove first to un-do the "bad" links created by previous version +system ('update-rc.d -f sudo remove >/dev/null 2>&1'); + -+system ('update-rc.d sudo start 75 S . >/dev/null'); ++#system ('update-rc.d sudo start 75 S . >/dev/null'); + +# make sure we have a sudo group + @@ -2898,11 +3480,23 @@ +system("groupadd -g $gid sudo"); + +print ""; ---- sudo-1.6.8p9.orig/debian/init.d -+++ sudo-1.6.8p9/debian/init.d -@@ -0,0 +1,23 @@ +--- sudo-1.6.8p12.orig/debian/compat ++++ sudo-1.6.8p12/debian/compat +@@ -0,0 +1 @@ ++4 +--- sudo-1.6.8p12.orig/debian/init.d ++++ sudo-1.6.8p12/debian/init.d +@@ -0,0 +1,31 @@ +#! /bin/sh + ++### BEGIN INIT INFO ++# Provides: sudu ++# Required-Start: $local_fs $remote_fs ++# Required-Stop: ++# Default-Start: S 1 2 3 4 5 ++# Default-Stop: 0 6 ++### END INIT INFO ++ +N=/etc/init.d/sudo + +set -e @@ -2924,19 +3518,63 @@ +esac + +exit 0 ---- sudo-1.6.8p9.orig/debian/postrm -+++ sudo-1.6.8p9/debian/postrm +--- sudo-1.6.8p12.orig/debian/sudo-ldap.lintian ++++ sudo-1.6.8p12/debian/sudo-ldap.lintian +@@ -0,0 +1,3 @@ ++sudo-ldap: setuid-binary usr/bin/sudo 4755 root/root ++sudo-ldap: postrm-contains-additional-updaterc.d-calls /etc/init.d/sudo-ldap ++sudo-ldap: script-in-etc-init.d-not-registered-via-update-rc.d /etc/init.d/sudo-ldap +--- sudo-1.6.8p12.orig/debian/sudo-ldap.dirs ++++ sudo-1.6.8p12/debian/sudo-ldap.dirs @@ -0,0 +1,7 @@ -+#!/bin/sh ++etc/pam.d ++usr/bin ++usr/share/man/man8 ++usr/share/man/man5 ++usr/sbin ++usr/share/doc/sudo-ldap/examples ++usr/share/lintian/overrides +--- sudo-1.6.8p12.orig/debian/sudo-ldap.docs ++++ sudo-1.6.8p12/debian/sudo-ldap.docs +@@ -0,0 +1,11 @@ ++debian/OPTIONS ++BUGS ++RUNSON ++UPGRADE ++PORTING ++TODO ++HISTORY ++README ++README.LDAP ++TROUBLESHOOTING ++sudoers2ldif +--- sudo-1.6.8p12.orig/debian/postrm ++++ sudo-1.6.8p12/debian/postrm +@@ -0,0 +1,21 @@ ++#! /bin/sh ++ ++set -e + +case "$1" in -+ purge) -+ rm -f /etc/sudoers -+ ;; ++ purge) ++ rm -f /etc/sudoers ++ ;; ++ ++ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) ++ ;; ++ ++ *) ++ echo "postrm called with unknown argument \`$1'" >&2 ++ exit 1 ++ +esac ---- sudo-1.6.8p9.orig/debian/OPTIONS -+++ sudo-1.6.8p9/debian/OPTIONS -@@ -0,0 +1,49 @@ ++ ++#DEBHELPER# ++ ++exit 0 +--- sudo-1.6.8p12.orig/debian/OPTIONS ++++ sudo-1.6.8p12/debian/OPTIONS +@@ -0,0 +1,61 @@ +The following options were used to configure sudo for Debian GNU/Linux. + + --with-exempt=sudo @@ -2949,6 +3587,10 @@ + + Support for pluggable authentication modules. + ++ --with-ldap ++ ++ Support for LDAP authentication. ++ + --with-fqdn + + Allow use of fully qualified domain names in the sudoers file. @@ -2986,8 +3628,16 @@ + Include all the insults in the binary, won't be enabled unless turned + on in the sudoers file. + ---- sudo-1.6.8p9.orig/debian/copyright -+++ sudo-1.6.8p9/debian/copyright ++ --with-sendmail=/usr/sbin/sendmail ++ ++ Use Debian policy to know the location of sendmail instead of trying ++ to detect it at build time. ++ ++ --disable-setresuid ++ ++ Linux 2.2 kernels don't support setresgid. +--- sudo-1.6.8p12.orig/debian/copyright ++++ sudo-1.6.8p12/debian/copyright @@ -0,0 +1,72 @@ +This is the Debian GNU/Linux prepackaged version of sudo. sudo is +used to provide limited super user privileges to specific users. @@ -3061,25 +3711,284 @@ + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. ---- sudo-1.6.8p9.orig/debian/sudo.pam -+++ sudo-1.6.8p9/debian/sudo.pam +--- sudo-1.6.8p12.orig/debian/sudo.pam ++++ sudo-1.6.8p12/debian/sudo.pam @@ -0,0 +1,4 @@ +#%PAM-1.0 + +@include common-auth +@include common-account ---- sudo-1.6.8p9.orig/debian/source.lintian-overrides -+++ sudo-1.6.8p9/debian/source.lintian-overrides +--- sudo-1.6.8p12.orig/debian/source.lintian-overrides ++++ sudo-1.6.8p12/debian/source.lintian-overrides @@ -0,0 +1 @@ +sudo source: maintainer-script-lacks-debhelper-token debian/postinst ---- sudo-1.6.8p9.orig/sample.sudoers -+++ sudo-1.6.8p9/sample.sudoers -@@ -36,7 +36,7 @@ +--- sudo-1.6.8p12.orig/sample.sudoers ++++ sudo-1.6.8p12/sample.sudoers +@@ -35,16 +35,16 @@ + # Cmnd alias specification ## Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ - /usr/sbin/rrestore, /usr/bin/mt +- /usr/sbin/rrestore, /usr/bin/mt -Cmnd_Alias KILL = /usr/bin/kill ++ /usr/sbin/rrestore, /bin/mt +Cmnd_Alias KILL = /bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm - Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown - Cmnd_Alias HALT = /usr/sbin/halt +-Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +-Cmnd_Alias HALT = /usr/sbin/halt +-Cmnd_Alias REBOOT = /usr/sbin/reboot +-Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ +- /usr/local/bin/tcsh, /usr/bin/rsh, \ +- /usr/local/bin/zsh +-Cmnd_Alias SU = /usr/bin/su ++Cmnd_Alias SHUTDOWN = /sbin/shutdown ++Cmnd_Alias HALT = /sbin/halt ++Cmnd_Alias REBOOT = /sbin/reboot ++Cmnd_Alias SHELLS = /sbin/sh, /bin/sh, /bin/csh, /usr/bin/ksh, \ ++ /usr/bin/tcsh, /usr/bin/rsh, \ ++ /usr/bin/zsh ++Cmnd_Alias SU = /bin/su + Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn + +@@ -82,7 +82,7 @@ + sudoedit /etc/printcap, /usr/oper/bin/ + + # joe may su only to operator +-joe ALL = /usr/bin/su operator ++joe ALL = /bin/su operator + + # pete may change passwords for anyone but root on the hp snakes + pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root +@@ -96,13 +96,13 @@ + + # users in the secretaries netgroup need to help manage the printers + # as well as add and remove users +-+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser +++secretaries ALL = PRINTING, /usr/sbin/adduser, /usr/bin/rmuser + + # fred can run commands as oracle or sybase without a password + fred ALL = (DB) NOPASSWD: ALL + + # on the alphas, john may su to anyone but root and flags are not allowed +-john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* ++john ALPHA = /bin/su [!-]*, !/bin/su *root* + + # jen can run anything on all machines except the ones + # in the "SERVERS" Host_Alias +--- sudo-1.6.8p12.orig/sudo.tab.c ++++ sudo-1.6.8p12/sudo.tab.c +@@ -138,6 +138,7 @@ + } \ + match[top].user = UNSPEC; \ + match[top].cmnd = UNSPEC; \ ++ match[top].cmndall= UNSPEC; \ + match[top].host = UNSPEC; \ + match[top].runas = UNSPEC; \ + match[top].nopass = def_authenticate ? UNSPEC : TRUE; \ +@@ -153,6 +154,7 @@ + } \ + match[top].user = match[top-1].user; \ + match[top].cmnd = match[top-1].cmnd; \ ++ match[top].cmndall= match[top-1].cmndall; \ + match[top].host = match[top-1].host; \ + match[top].runas = match[top-1].runas; \ + match[top].nopass = match[top-1].nopass; \ +@@ -1739,6 +1741,7 @@ + } + } + ++ SETMATCH(cmnd_all, TRUE); + yyval.BOOLEAN = TRUE; + } + break; +@@ -1769,6 +1772,7 @@ + YYERROR; + } + } ++ SETMATCH(cmnd_all, FALSE); + yyval.BOOLEAN = NOMATCH; + } + free(yyvsp[0].string); +@@ -1800,6 +1804,7 @@ + free(yyvsp[0].command.cmnd); + if (yyvsp[0].command.args) + free(yyvsp[0].command.args); ++ SETMATCH(cmnd_all, FALSE); + } + break; + case 65: +--- sudo-1.6.8p12.orig/ldap.c ++++ sudo-1.6.8p12/ldap.c +@@ -256,9 +256,10 @@ + * Walks through search result and returns true if we have a + * command match + */ +-int sudo_ldap_check_command(ld,entry) ++int sudo_ldap_check_command(ld,entry,all) + LDAP *ld; + LDAPMessage *entry; ++ int* all; + { + char **v=NULL; + char **p=NULL; +@@ -267,6 +268,8 @@ + int ret=0; + int foundbang; + ++ *all=0; ++ + if (!entry) return ret; + + v=ldap_get_values(ld,entry,"sudoCommand"); +@@ -277,6 +280,7 @@ + + /* Match against ALL ? */ + if (!strcasecmp(*p,"ALL")) { ++ *all=1; + ret=1; + if (ldap_conf.debug>1) printf(" MATCH!\n"); + continue; +@@ -711,6 +715,7 @@ + /* flags */ + int ldap_user_matches=0; + int ldap_host_matches=0; ++ int command_all=0; + + if (!sudo_ldap_read_config()) return VALIDATE_ERROR; + +@@ -896,7 +901,7 @@ + /* add matches for listing later */ + sudo_ldap_add_match(ld,entry) && + /* verify command match */ +- sudo_ldap_check_command(ld,entry) && ++ sudo_ldap_check_command(ld,entry,&command_all) && + /* verify runas match */ + sudo_ldap_check_runas(ld,entry) + ) +@@ -907,6 +912,7 @@ + sudo_ldap_parse_options(ld,entry); + /* make sure we dont reenter loop */ + ret=VALIDATE_OK; ++ if(command_all) SET(ret,FLAG_CMND_ALL); + /* break from inside for loop */ + break; + } +--- sudo-1.6.8p12.orig/sudo.c ++++ sudo-1.6.8p12/sudo.c +@@ -106,10 +106,11 @@ + static void set_loginclass __P((struct passwd *)); + static void usage __P((int)); + static void usage_excl __P((int)); ++static void create_admin_success_flag __P((void)); + static struct passwd *get_authpw __P((void)); + extern int sudo_edit __P((int, char **)); + extern void list_matches __P((void)); +-extern char **rebuild_env __P((char **, int, int)); ++extern char **rebuild_env __P((char **, int, int, int)); + extern char **zero_env __P((char **)); + extern struct passwd *sudo_getpwnam __P((const char *)); + extern struct passwd *sudo_getpwuid __P((uid_t)); +@@ -368,11 +369,15 @@ + + /* Build a new environment that avoids any nasty bits if we have a cmnd. */ + if (ISSET(sudo_mode, MODE_RUN)) +- new_environ = rebuild_env(envp, sudo_mode, ISSET(validated, FLAG_NOEXEC)); ++ new_environ = rebuild_env(envp, sudo_mode, ISSET(validated, FLAG_NOEXEC), ISSET(validated, FLAG_CMND_ALL)); + else + new_environ = envp; + + if (ISSET(validated, VALIDATE_OK)) { ++ /* If the user is in the admin group, create a dotfile to signal that ++ * sudo was executed successfully. */ ++ create_admin_success_flag(); ++ + /* Finally tell the user if the command did not exist. */ + if (cmnd_status == NOT_FOUND_DOT) { + warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); +@@ -1156,3 +1161,46 @@ + putchar('\n'); + exit(exit_val); + } ++ ++static void create_admin_success_flag(void) ++{ ++ struct group* admin; ++ char** g; ++ int is_admin; ++ char flagfile[PATH_MAX]; ++ int f; ++ ++ if (!sudo_user.pw || !sudo_user.pw->pw_name || !sudo_user.pw->pw_dir) ++ return; ++ ++ /* check whether the user is in the admin group */ ++ admin = getgrnam("admin"); ++ if (!admin || !admin->gr_mem) ++ return; ++ is_admin = 0; ++ for (g = admin->gr_mem; *g; ++g) { ++ if (!strcmp(*g, sudo_user.pw->pw_name)) { ++ is_admin = 1; ++ break; ++ } ++ } ++ if (!is_admin) ++ return; ++ ++ /* build path to flag file */ ++ snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful", ++ sudo_user.pw->pw_dir); ++ if (strlen(flagfile) >= sizeof(flagfile)-1) ++ return; ++ ++ /* do nothing if the file already exists */ ++ if (!access(flagfile, F_OK)) ++ return; ++ ++ /* create file */ ++ f = open(flagfile, O_CREAT|O_WRONLY|O_EXCL, 0644); ++ if(f >= 0) { ++ fchown(f, sudo_user.pw->pw_uid, sudo_user.pw->pw_gid); ++ close(f); ++ } ++} +--- sudo-1.6.8p12.orig/sudo.h ++++ sudo-1.6.8p12/sudo.h +@@ -65,6 +65,7 @@ + #define FLAG_NO_HOST 0x080 + #define FLAG_NO_CHECK 0x100 + #define FLAG_NOEXEC 0x200 ++#define FLAG_CMND_ALL 0x400 + + /* + * Pseudo-boolean values +--- sudo-1.6.8p12.orig/parse.c ++++ sudo-1.6.8p12/parse.c +@@ -200,7 +200,8 @@ + set_perms(PERM_ROOT); + return(VALIDATE_OK | + (no_passwd == TRUE ? FLAG_NOPASS : 0) | +- (no_execve == TRUE ? FLAG_NOEXEC : 0)); ++ (no_execve == TRUE ? FLAG_NOEXEC : 0) | ++ (cmnd_all == TRUE ? FLAG_CMND_ALL : 0)); + } else if ((runas_matches == TRUE && cmnd_matches == FALSE) || + (runas_matches == FALSE && cmnd_matches == TRUE)) { + /* +--- sudo-1.6.8p12.orig/parse.h ++++ sudo-1.6.8p12/parse.h +@@ -29,6 +29,7 @@ + struct matchstack { + int user; + int cmnd; ++ int cmndall; + int host; + int runas; + int nopass; +@@ -46,6 +47,7 @@ + + #define user_matches (match[top-1].user) + #define cmnd_matches (match[top-1].cmnd) ++#define cmnd_all (match[top-1].cmndall) + #define host_matches (match[top-1].host) + #define runas_matches (match[top-1].runas) + #define no_passwd (match[top-1].nopass) diff --git a/package/sudo/sudo_1.6.8p12-2-no-cxx-configcheck.patch b/package/sudo/sudo_1.6.8p12-2-no-cxx-configcheck.patch new file mode 100644 index 000000000..0a0b0a46a --- /dev/null +++ b/package/sudo/sudo_1.6.8p12-2-no-cxx-configcheck.patch @@ -0,0 +1,22 @@ +diff -u sudo-1.6.8p12.orig/configure sudo-1.6.8p12/configure +--- sudo-1.6.8p12.orig/configure 2006-12-21 12:06:02.000000000 +0100 ++++ sudo-1.6.8p12/configure 2006-12-21 12:12:06.000000000 +0100 +@@ -6072,7 +6072,8 @@ + fi + + done +- ++if test -n "$CXX" ++then + ac_ext=cc + ac_cpp='$CXXCPP $CPPFLAGS' + ac_compile='$CXX -c $CXXFLAGS $CPPFLAGS conftest.$ac_ext >&5' +@@ -6654,7 +6655,7 @@ + ac_link='$CXX -o conftest$ac_exeext $CXXFLAGS $CPPFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' + ac_compiler_gnu=$ac_cv_cxx_compiler_gnu + +- ++fi + ac_ext=f + ac_compile='$F77 -c $FFLAGS conftest.$ac_ext >&5' + ac_link='$F77 -o conftest$ac_exeext $FFLAGS $LDFLAGS conftest.$ac_ext $LIBS >&5' |