commit sudo for openSUSE:Factory

h_root Thu, 05 May 2016 04:19:26 -0700

Hello community,

here is the log from the commit of package sudo for openSUSE:Factory checked in 
at 2016-05-05 13:18:29
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sudo (Old)
 and      /work/SRC/openSUSE:Factory/.sudo.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "sudo"

Changes:
--------
--- /work/SRC/openSUSE:Factory/sudo/sudo.changes        2016-03-26 
15:11:51.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.sudo.new/sudo.changes   2016-05-05 
13:18:31.000000000 +0200
@@ -1,0 +2,8 @@
+Fri Apr 29 11:34:18 UTC 2016 - [email protected]
+
+- add sudo-1.8.16-pam_groups.patch to do group setup in
+  policy_init_session() before calling out to the plugin. This makes
+  it possible for the pam_group module to change the group in
+  pam_setcred() [fate#318850]
+
+-------------------------------------------------------------------

New:
----
  sudo-1.8.16-pam_groups.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.8UyTaq/_old  2016-05-05 13:18:32.000000000 +0200
+++ /var/tmp/diff_new_pack.8UyTaq/_new  2016-05-05 13:18:32.000000000 +0200
@@ -33,6 +33,7 @@
 Patch0:         sudoers2ldif-env.patch
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch1:         sudo-sudoers.patch
+Patch2:         sudo-1.8.16-pam_groups.patch
 BuildRequires:  audit-devel
 BuildRequires:  groff
 BuildRequires:  libselinux-devel
@@ -73,6 +74,7 @@
 %setup -q
 %patch0 -p1
 %patch1 -p1
+%patch2 -p1
 
 %build
 %ifarch s390 s390x %sparc

++++++ sudo-1.8.16-pam_groups.patch ++++++
# HG changeset patch
# User Todd C. Miller <[email protected]>
# Date 1461862918 21600
# Node ID 814cda6025419e40b417f7d797757e11259feef2
# Parent  ef0a5428a5744ca1c7fcb1874d1fff37becc6a90
Do group setup in policy_init_session() before calling out to the
plugin.  This makes it possible for the pam_group module to change
the group in pam_setcred().  It's a bit bogus since pam_setcred()
is documented as not changing the group or user ID, but pam_group
is shipped with stock Linux-PAM so we need to support it.

diff -r ef0a5428a574 -r 814cda602541 src/sudo.c
--- a/src/sudo.c        Tue Apr 26 14:39:42 2016 -0600
+++ b/src/sudo.c        Thu Apr 28 11:01:58 2016 -0600
@@ -939,7 +939,8 @@
 }
 
 /*
- * Setup the execution environment immediately prior to the call to execve()
+ * Setup the execution environment immediately prior to the call to execve().
+ * Group setup is performed by policy_init_session(), called earlier.
  * Returns true on success and false on failure.
  */
 bool
@@ -1018,30 +1019,6 @@
 #endif /* HAVE_LOGIN_CAP_H */
     }
 
-    /*
-     * Set groups, including supplementary group vector.
-     */
-    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
-       if (details->ngroups >= 0) {
-           if (sudo_setgroups(details->ngroups, details->groups) < 0) {
-               sudo_warn(U_("unable to set supplementary group IDs"));
-               goto done;
-           }
-       }
-    }
-#ifdef HAVE_SETEUID
-    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
-       sudo_warn(U_("unable to set effective gid to runas gid %u"),
-           (unsigned int)details->egid);
-       goto done;
-    }
-#endif
-    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
-       sudo_warn(U_("unable to set gid to runas gid %u"),
-           (unsigned int)details->gid);
-       goto done;
-    }
-
     if (ISSET(details->flags, CD_SET_PRIORITY)) {
        if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) {
            sudo_warn(U_("unable to set process priority"));
@@ -1365,6 +1342,35 @@
     int rval = true;
     debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
 
+    /*
+     * We set groups, including supplementary group vector,
+     * as part of the session setup.  This allows for dynamic
+     * groups to be set via pam_group(8) in pam_setcred(3).
+     */
+    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
+       if (details->ngroups >= 0) {
+           if (sudo_setgroups(details->ngroups, details->groups) < 0) {
+               sudo_warn(U_("unable to set supplementary group IDs"));
+               rval = -1;
+               goto done;
+           }
+       }
+    }
+#ifdef HAVE_SETEUID
+    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
+       sudo_warn(U_("unable to set effective gid to runas gid %u"),
+           (unsigned int)details->egid);
+       rval = -1;
+       goto done;
+    }
+#endif
+    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
+       sudo_warn(U_("unable to set gid to runas gid %u"),
+           (unsigned int)details->gid);
+       rval = -1;
+       goto done;
+    }
+
     if (policy_plugin.u.policy->init_session) {
        /*
         * Backwards compatibility for older API versions
@@ -1381,6 +1387,7 @@
        }
        sudo_debug_set_active_instance(sudo_debug_instance);
     }
+done:
     debug_return_int(rval);
 }

commit sudo for openSUSE:Factory

Reply via email to