Hello community,
here is the log from the commit of package sudo for openSUSE:Factory checked in
at 2020-11-21 12:39:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sudo (Old)
and /work/SRC/openSUSE:Factory/.sudo.new.5913 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo"
Sat Nov 21 12:39:16 2020 rev:116 rq:848942 version:1.9.3p1
Changes:
--------
--- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2020-09-14
12:05:30.651760510 +0200
+++ /work/SRC/openSUSE:Factory/.sudo.new.5913/sudo.changes 2020-11-23
10:51:03.702636554 +0100
@@ -1,0 +2,69 @@
+Fri Nov 13 21:26:58 UTC 2020 - Kristyna Streitova <kstreit...@suse.com>
+
+- Update to 1.9.3p1
+ * Fixed a regression introduced in sudo 1.9.3 where the configure
+ script would not detect the crypt(3) function if it was present
+ in the C library, not an additional library.
+ * Fixed a regression introduced in sudo 1.8.23 with shadow passwd
+ file authentication on OpenBSD. BSD authentication was not
+ affected.
+ * Sudo now logs when a user-specified command-line option is
+ rejected by a sudoers rule. Previously, these conditions were
+ written to the audit log, but the default sudo log file. Affected
+ command line arguments include -C (--close-from), -D (--chdir),
+ -R (--chroot), -g (--group) and -u (--user).
+
+- News in 1.9.3
+ * Fixed building the Python plugin on systems with a compiler that
+ doesn't support symbol hiding.
+ * Sudo now uses a linker script to hide symbols even when the
+ compiler has native symbol hiding support. This should make it
+ easier to detect omissions in the symbol exports file, regardless
+ of the platform.
+ * Fixed the libssl dependency in Debian packages for older releases
+ that use libssl1.0.0.
+ * Sudo and visudo now provide more detailed messages when a syntax
+ error is detected in sudoers. The offending line and token are
+ now displayed. If the parser was generated by GNU bison,
+ additional information about what token was expected is also
+ displayed. Bug #841.
+ * Sudoers rules must now end in either a newline or the end-of-file.
+ Previously, it was possible to have multiple rules on a single
+ line, separated by white space. The use of an end-of-line
+ terminator makes it possible to display accurate error messages.
+ * Sudo no longer refuses to run if a syntax error in the sudoers
+ file is encountered. The entry with the syntax error will be
+ discarded and sudo will continue to parse the file. This makes
+ recovery from a syntax error less painful on systems where sudo
+ is the primary method of superuser access. The historic behavior
+ can be restored by add "error_recovery=false" to the sudoers
+ plugin's optional arguments in sudo.conf. Bug #618.
+ * Fixed the sample_approval plugin's symbol exports file for systems
+ where the compiler doesn't support symbol hiding.
+ * Fixed a regression introduced in sudo 1.9.1 where arguments to
+ the "sudoers_policy" plugin in sudo.conf were not being applied.
+ The sudoers file is now parsed by the "sudoers_audit" plugin,
+ which is loaded implicitly when "sudoers_policy" is listed in
+ sudo.conf. Starting with sudo 1.9.3, if there are plugin arguments
+ for "sudoers_policy" but "sudoers_audit" is not listed, those
+ arguments will be applied to "sudoers_audit" instead.
+ * The user's resource limits are now passed to sudo plugins in
+ the user_info[] list. A plugin cannot determine the limits
+ itself because sudo changes the limits while it runs to prevent
+ resource starvation.
+ * It is now possible to set the working directory or change the
+ root directory on a per-command basis using the CWD and CHROOT
+ options. There are also new Defaults settings, runchroot and
+ runcwd, that can be used to set the working directory or root
+ directory on a more global basis.
+ * New -D (--chdir) and -R (--chroot) command line options can be
+ used to set the working directory or root directory if the sudoers
+ file allows it. This functionality is not enabled by default
+ and must be explicitly enabled in the sudoers file.
+
+- add sudo-1.9.3p1-pam_xauth.patch to stay setuid until just before
+ executing the command. Fixes a problem with pam_xauth which
+ checks effective and real uids to get the real identity of the
+ user [bsc#1174593]
+
+-------------------------------------------------------------------
Old:
----
sudo-1.9.2.tar.gz
sudo-1.9.2.tar.gz.sig
New:
----
sudo-1.9.3p1-pam_xauth.patch
sudo-1.9.3p1.tar.gz
sudo-1.9.3p1.tar.gz.sig
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.XCpBgs/_old 2020-11-23 10:51:04.242637095 +0100
+++ /var/tmp/diff_new_pack.XCpBgs/_new 2020-11-23 10:51:04.246637098 +0100
@@ -22,7 +22,7 @@
%define use_usretc 1
%endif
Name: sudo
-Version: 1.9.2
+Version: 1.9.3p1
Release: 0
Summary: Execute some commands as root
License: ISC
@@ -38,6 +38,7 @@
Source7: README_313276.test
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch0: sudo-sudoers.patch
+Patch1: sudo-1.9.3p1-pam_xauth.patch
BuildRequires: audit-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: groff
@@ -89,6 +90,7 @@
%prep
%setup -q
%patch0 -p1
+%patch1 -p1
%build
%ifarch s390 s390x %{sparc}
++++++ sudo-1.9.3p1-pam_xauth.patch ++++++
--- a/src/sudo.c Wed Nov 11 09:34:50 2020 -0700
+++ b/src/sudo.c Wed Nov 11 09:34:50 2020 -0700
@@ -297,9 +297,6 @@
SET(command_details.flags, CD_LOGIN_SHELL);
if (ISSET(sudo_mode, MODE_BACKGROUND))
SET(command_details.flags, CD_BACKGROUND);
- /* Become full root (not just setuid) so user cannot kill us. */
- if (setuid(ROOT_UID) == -1)
- sudo_warn("setuid(%d)", ROOT_UID);
if (ISSET(command_details.flags, CD_SUDOEDIT)) {
status = sudo_edit(&command_details);
} else {
_______________________________________________
openSUSE Commits mailing list -- commit@lists.opensuse.org
To unsubscribe, email commit-le...@lists.opensuse.org
List Netiquette: https://en.opensuse.org/openSUSE:Mailing_list_netiquette
List Archives:
https://lists.opensuse.org/archives/list/commit@lists.opensuse.org
