Evangelos Foutras pushed to branch main at Arch Linux / Packaging / Packages / sudo
Commits: e5e504db by Evangelos Foutras at 2024-07-19T19:15:29+03:00 sudoers: enable secure_path by default (commit message below by Levente Polyak <[email protected]>) Enable the secure_path setting in the sudoers file by default to protect against potential security pitfalls like unprivileged users that have access to a specific binary via sudoers but otherwise do not have privileges. In such a scenario any binary executed in the chain by the initial entrypoint sudoers binary that is not invoked with a full absolute path allows implicitly to violate the privilege boundary by overriding the subsequently called application with a malicious variant put earlier in the PATH as the regular system paths. - - - - - 4791df5c by Evangelos Foutras at 2024-07-19T19:27:33+03:00 upgpkg: 1.9.15.p5-2: enable secure_path by default Enabled by default in /etc/sudoers but still disabled internally. (See the previous commit or the linked issues for details.) Fixes: #1, #2 - - - - - 3 changed files: - .SRCINFO - PKGBUILD - + change-default-secure-path.patch Changes: ===================================== .SRCINFO ===================================== @@ -1,7 +1,7 @@ pkgbase = sudo pkgdesc = Give certain users the ability to run some commands as root pkgver = 1.9.15.p5 - pkgrel = 1 + pkgrel = 2 url = https://www.sudo.ws/sudo/ install = sudo.install arch = x86_64 @@ -17,12 +17,18 @@ pkgbase = sudo backup = etc/sudoers source = https://www.sudo.ws/sudo/dist/sudo-1.9.15p5.tar.gz source = https://www.sudo.ws/sudo/dist/sudo-1.9.15p5.tar.gz.sig + source = sudo-preserve-editor-for-visudo.patch::https://github.com/sudo-project/sudo/commit/1db1453556e1.patch + source = sudo-enable-secure_path-by-default.patch::https://github.com/sudo-project/sudo/commit/e0e24456bc3f.patch + source = change-default-secure-path.patch source = sudo_logsrvd.service source = sudo.pam validpgpkeys = 59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB sha256sums = 558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558 sha256sums = SKIP - sha256sums = 8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1 + sha256sums = 321aa5f1b482ffd5728c07477a51ce3de1e48b9db13f4578e662c227c705826c + sha256sums = baacece8e854bed47276925715ae8f3c2771ad72821006b3a26796fe154e1130 + sha256sums = d062bab92a9fcd2fac0a4a9dca155c58efc0f942dd1ed7e37e7055455a4980d9 + sha256sums = bd4bc2f5d85cbe14d7e7acc5008cb4fe62c38de7d42dc6876c87bfaa273c0a6e sha256sums = d1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2 pkgname = sudo ===================================== PKGBUILD ===================================== @@ -4,7 +4,7 @@ pkgname=sudo _sudover=1.9.15p5 -pkgrel=1 +pkgrel=2 pkgver=${_sudover/p/.p} pkgdesc="Give certain users the ability to run some commands as root" arch=('x86_64') @@ -17,16 +17,28 @@ backup=('etc/pam.d/sudo' 'etc/sudoers') install=$pkgname.install source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig} + $pkgname-preserve-editor-for-visudo.patch::https://github.com/sudo-project/sudo/commit/1db1453556e1.patch + $pkgname-enable-secure_path-by-default.patch::https://github.com/sudo-project/sudo/commit/e0e24456bc3f.patch + change-default-secure-path.patch sudo_logsrvd.service sudo.pam) sha256sums=('558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558' 'SKIP' + '321aa5f1b482ffd5728c07477a51ce3de1e48b9db13f4578e662c227c705826c' + 'baacece8e854bed47276925715ae8f3c2771ad72821006b3a26796fe154e1130' + 'd062bab92a9fcd2fac0a4a9dca155c58efc0f942dd1ed7e37e7055455a4980d9' 'bd4bc2f5d85cbe14d7e7acc5008cb4fe62c38de7d42dc6876c87bfaa273c0a6e' 'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2') validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB') prepare() { cd $pkgname-$_sudover + patch -Np1 -i ../$pkgname-preserve-editor-for-visudo.patch + patch -Np1 -F3 -i ../$pkgname-enable-secure_path-by-default.patch + + # we cannot use --with-secure_path as it will enable it internally as well + # keeping it disabled in the sudo binary allows the user to comment it out + patch -Np1 -i ../change-default-secure-path.patch } build() { ===================================== change-default-secure-path.patch ===================================== @@ -0,0 +1,26 @@ +diff --git a/configure b/configure +index 9ac46b6..de561f1 100755 +--- a/configure ++++ b/configure +@@ -3729,7 +3729,7 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so" + sesh_file="$libexecdir/sudo/sesh" + visudo="$sbindir/visudo" + nsswitch_conf=/etc/nsswitch.conf +-secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ++secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" + secure_path_set="disabled" + pam_session=on + pam_login_service=sudo +diff --git a/configure.ac b/configure.ac +index 2f07e7c..d59c04e 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -229,7 +229,7 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so" + sesh_file="$libexecdir/sudo/sesh" + visudo="$sbindir/visudo" + nsswitch_conf=/etc/nsswitch.conf +-secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ++secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin" + secure_path_set="disabled" + pam_session=on + pam_login_service=sudo View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/sudo/-/compare/e9451b1571672bb174981fd6939e9908b6c0bee3...4791df5c3deb6355e6a1fe0b40a13ef27ad060b0 -- View it on GitLab: https://gitlab.archlinux.org/archlinux/packaging/packages/sudo/-/compare/e9451b1571672bb174981fd6939e9908b6c0bee3...4791df5c3deb6355e6a1fe0b40a13ef27ad060b0 You're receiving this email because of your account on gitlab.archlinux.org.
