Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2016-05-05 13:18:29 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2016-03-26 15:11:51.000000000 +0100 +++ /work/SRC/openSUSE:Factory/.sudo.new/sudo.changes 2016-05-05 13:18:31.000000000 +0200 @@ -1,0 +2,8 @@ +Fri Apr 29 11:34:18 UTC 2016 - [email protected] + +- add sudo-1.8.16-pam_groups.patch to do group setup in + policy_init_session() before calling out to the plugin. This makes + it possible for the pam_group module to change the group in + pam_setcred() [fate#318850] + +------------------------------------------------------------------- New: ---- sudo-1.8.16-pam_groups.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.8UyTaq/_old 2016-05-05 13:18:32.000000000 +0200 +++ /var/tmp/diff_new_pack.8UyTaq/_new 2016-05-05 13:18:32.000000000 +0200 @@ -33,6 +33,7 @@ Patch0: sudoers2ldif-env.patch # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch1: sudo-sudoers.patch +Patch2: sudo-1.8.16-pam_groups.patch BuildRequires: audit-devel BuildRequires: groff BuildRequires: libselinux-devel @@ -73,6 +74,7 @@ %setup -q %patch0 -p1 %patch1 -p1 +%patch2 -p1 %build %ifarch s390 s390x %sparc ++++++ sudo-1.8.16-pam_groups.patch ++++++ # HG changeset patch # User Todd C. Miller <[email protected]> # Date 1461862918 21600 # Node ID 814cda6025419e40b417f7d797757e11259feef2 # Parent ef0a5428a5744ca1c7fcb1874d1fff37becc6a90 Do group setup in policy_init_session() before calling out to the plugin. This makes it possible for the pam_group module to change the group in pam_setcred(). It's a bit bogus since pam_setcred() is documented as not changing the group or user ID, but pam_group is shipped with stock Linux-PAM so we need to support it. diff -r ef0a5428a574 -r 814cda602541 src/sudo.c --- a/src/sudo.c Tue Apr 26 14:39:42 2016 -0600 +++ b/src/sudo.c Thu Apr 28 11:01:58 2016 -0600 @@ -939,7 +939,8 @@ } /* - * Setup the execution environment immediately prior to the call to execve() + * Setup the execution environment immediately prior to the call to execve(). + * Group setup is performed by policy_init_session(), called earlier. * Returns true on success and false on failure. */ bool @@ -1018,30 +1019,6 @@ #endif /* HAVE_LOGIN_CAP_H */ } - /* - * Set groups, including supplementary group vector. - */ - if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) { - if (details->ngroups >= 0) { - if (sudo_setgroups(details->ngroups, details->groups) < 0) { - sudo_warn(U_("unable to set supplementary group IDs")); - goto done; - } - } - } -#ifdef HAVE_SETEUID - if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { - sudo_warn(U_("unable to set effective gid to runas gid %u"), - (unsigned int)details->egid); - goto done; - } -#endif - if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) { - sudo_warn(U_("unable to set gid to runas gid %u"), - (unsigned int)details->gid); - goto done; - } - if (ISSET(details->flags, CD_SET_PRIORITY)) { if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) { sudo_warn(U_("unable to set process priority")); @@ -1365,6 +1342,35 @@ int rval = true; debug_decl(policy_init_session, SUDO_DEBUG_PCOMM) + /* + * We set groups, including supplementary group vector, + * as part of the session setup. This allows for dynamic + * groups to be set via pam_group(8) in pam_setcred(3). + */ + if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) { + if (details->ngroups >= 0) { + if (sudo_setgroups(details->ngroups, details->groups) < 0) { + sudo_warn(U_("unable to set supplementary group IDs")); + rval = -1; + goto done; + } + } + } +#ifdef HAVE_SETEUID + if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { + sudo_warn(U_("unable to set effective gid to runas gid %u"), + (unsigned int)details->egid); + rval = -1; + goto done; + } +#endif + if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) { + sudo_warn(U_("unable to set gid to runas gid %u"), + (unsigned int)details->gid); + rval = -1; + goto done; + } + if (policy_plugin.u.policy->init_session) { /* * Backwards compatibility for older API versions @@ -1381,6 +1387,7 @@ } sudo_debug_set_active_instance(sudo_debug_instance); } +done: debug_return_int(rval); }
