Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2023-12-05 17:02:24 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.25432 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Tue Dec 5 17:02:24 2023 rev:149 rq:1128361 version:1.9.15p2 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2023-09-13 20:43:41.480219004 +0200 +++ /work/SRC/openSUSE:Factory/.sudo.new.25432/sudo.changes 2023-12-05 17:02:49.084267043 +0100 @@ -1,0 +2,95 @@ +Wed Nov 22 12:46:00 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com> + +- Update to 1.9.15p2: + * Fixed a bug on BSD systems where sudo would not restore the + terminal settings on exit if the terminal had parity enabled. + GitHub issue #326. +- Update to 1.9.15p1: + * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based + sudoers from being able to read the ldap.conf file. + GitHub issue #325. +- Update to 1.9.15: + * Fixed an undefined symbol problem on older versions of macOS + when "intercept" or "log_subcmds" are enabled in sudoers. + GitHub issue #276. + * Fixed "make check" failure related to getpwent(3) wrapping + on NetBSD. + * Fixed the warning message for "sudo -l command" when the command + is not permitted. There was a missing space between "list" and + the actual command due to changes in sudo 1.9.14. + * Fixed a bug where output could go to the wrong terminal if + "use_pty" is enabled (the default) and the standard input, output + or error is redirected to a different terminal. Bug #1056. + * The visudo utility will no longer create an empty file when the + specified sudoers file does not exist and the user exits the + editor without making any changes. GitHub issue #294. + * The AIX and Solaris sudo packages on www.sudo.ws now support + "log_subcmds" and "intercept" with both 32-bit and 64-bit + binaries. Previously, they only worked when running binaries + with the same word size as the sudo binary. GitHub issue #289. + * The sudoers source is now logged in the JSON event log. This + makes it possible to tell which rule resulted in a match. + * Running "sudo -ll command" now produces verbose output that + includes matching rule as well as the path to the sudoers file + the matching rule came from. For LDAP sudoers, the name of the + matching sudoRole is printed instead. + * The embedded copy of zlib has been updated to version 1.3. + * The sudoers plugin has been modified to make it more resilient + to ROWHAMMER attacks on authentication and policy matching. + This addresses CVE-2023-42465. + * The sudoers plugin now constructs the user time stamp file path + name using the user-ID instead of the user name. This avoids a + potential problem with user names that contain a path separator + ('/') being interpreted as part of the path name. A similar + issue in sudo-rs has been assigned CVE-2023-42456. + * A path separator ('/') in a user, group or host name is now + replaced with an underbar character ('_') when expanding escapes + in @include and @includedir directives as well as the "iolog_file" + and "iolog_dir" sudoers Default settings. + * The "intercept_verify" sudoers option is now only applied when + the "intercept" option is set in sudoers. Previously, it was + also applied when "log_subcmds" was enabled. Sudo 1.9.14 + contained an incorrect fix for this. Bug #1058. + * Changes to terminal settings are now performed atomically, where + possible. If the command is being run in a pseudo-terminal and + the user's terminal is already in raw mode, sudo will not change + the user's terminal settings. This prevents concurrent sudo + processes from restoring the terminal settings to the wrong values. + GitHub issue #312. + * Reverted a change from sudo 1.9.4 that resulted in PAM session + modules being called with the environment of the command to be + run instead of the environment of the invoking user. + GitHub issue #318. + * New Indonesian translation from translationproject.org. + * The sudo_logsrvd server will now raise its open file descriptor + limit to the maximum allowed value when it starts up. Each + connection can require up to nine open file descriptors so the + default soft limit may be too low. + * Better log message when rejecting a command if the "intercept" + option is enabled and the "intercept_allow_setid" option is + disabled. Previously, "command not allowed" would be logged and + the user had no way of knowing what the actual problem was. + * Sudo will now log the invoking user's environment as "submitenv" + in the JSON logs. The command's environment ("runenv") is no + longer logged for commands rejected by the sudoers file or an + approval plugin. + +------------------------------------------------------------------- +Tue Nov 21 08:56:42 UTC 2023 - Dominique Leuenberger <dims...@opensuse.org> + +- Package/ship empty /etc/sudoers.d directory for admins to + discover where to put their won config. + +------------------------------------------------------------------- +Wed Sep 20 08:34:12 UTC 2023 - Ludwig Nussel <lnus...@suse.com> + +- Introduce optional wheel and sudo group policies as separate packages + (bsc#1203978, jsc#PED-260) + +------------------------------------------------------------------- +Wed Sep 14 13:06:51 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com> + +- Install config files into /usr/etc and read from both location: + /etc and /usr/etc (bsc#1205118) + +------------------------------------------------------------------- Old: ---- sudo-1.9.14p3.tar.gz sudo-1.9.14p3.tar.gz.sig New: ---- 50-wheel-auth-self.conf 51-wheel.rules sudo-1.9.15p2.tar.gz sudo-1.9.15p2.tar.gz.sig system-group-sudo.conf ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.OdZPKw/_old 2023-12-05 17:02:50.424316437 +0100 +++ /var/tmp/diff_new_pack.OdZPKw/_new 2023-12-05 17:02:50.428316585 +0100 @@ -16,8 +16,16 @@ # +%if %{defined _distconfdir} +%define confdir %{_distconfdir} +%define confmode 0444 +%else +%define confdir %{_sysconfdir} +%define confmode 0440 +%endif + Name: sudo -Version: 1.9.14p3 +Version: 1.9.15p2 Release: 0 Summary: Execute some commands as root License: ISC @@ -31,6 +39,9 @@ Source5: README.SUSE Source6: fate_313276_test.sh Source7: README_313276.test +Source8: 50-wheel-auth-self.conf +Source9: 51-wheel.rules +Source10: system-group-sudo.conf # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch BuildRequires: audit-devel @@ -42,6 +53,7 @@ BuildRequires: pam-devel BuildRequires: python3-devel BuildRequires: systemd-rpm-macros +BuildRequires: sysuser-tools BuildRequires: zlib-devel Requires(pre): coreutils Requires(pre): permissions @@ -49,12 +61,17 @@ %description Sudo is a command that allows users to execute some commands as root. -The %{_sysconfdir}/sudoers file (edited with 'visudo') specifies which users have +%if %{defined _distconfdir} +Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers +(in that order, whichever one it finds first), to determine what users have +%else +The %{_sysconfdir}/sudoers file specifies which users have +%endif access to sudo and which commands they can run. Sudo logs all its activities to syslogd, so the system administrator can keep an eye on -things. Sudo asks for the password for initializing a check period of a +things. Sudo asks for the password to initialize a check period of a given time N (where N is defined at installation and is set to 5 -minutes by default). +minutes by default). Administrators can edit the sudoers file with 'visudo'. %package plugin-python Summary: Plugin API for python @@ -82,10 +99,39 @@ %description test Tests for fate#313276 +%package policy-wheel-auth-self +Summary: Users in the wheel group can authenticate as admin +Group: System/Base +Requires: %{name} = %{version} +Requires: group(wheel) + +%description policy-wheel-auth-self +Sudo authentication policy that allows users in the wheel group to +authenticate as root with their own password + +%package policy-sudo-auth-self +Summary: Users in the sudo group can authenticate as admin +Group: System/Base +Requires: %{name} = %{version} +Requires: group(sudo) + +%description policy-sudo-auth-self +Sudo authentication policy that allows users in the sudo group to +authenticate as root with their own password + +%package -n system-group-sudo +Summary: System group 'sudo' +Group: System/Fhs +%{sysusers_requires} + +%description -n system-group-sudo +This package provides the system group 'sudo'. + %prep %autosetup -p1 %build +%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf %ifarch s390 s390x %{sparc} F_PIE=-fPIE %else @@ -98,6 +144,11 @@ --docdir=%{_docdir}/%{name} \ --with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \ --enable-tmpfiles.d=%{_tmpfilesdir} \ +%if %{defined _distconfdir} + --prefix=/usr \ + --sysconfdir=%{_distconfdir} \ + --enable-adminconf=%{_sysconfdir} \ +%endif --with-pam \ --with-pam-login \ --with-ldap \ @@ -147,7 +198,22 @@ rm -f %{buildroot}%{_docdir}/%{name}/sample.pam rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP -rm -f %{buildroot}%{_sysconfdir}/sudoers.dist +rm -f %{buildroot}%{confdir}/sudoers.dist + +%if %{defined _distconfdir} +# Move /etc to /usr/etc/ +mkdir -p %{buildroot}%{_distconfdir}/sudoers.d %{buildroot}%{_sysconfdir}/sudoers.d +chmod 644 %{buildroot}%{_distconfdir}/sudoers +echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers +%endif + +install -D -m 644 %{SOURCE8} %{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self +install -D -m 644 %{SOURCE9} %{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules + +sed -e 's/wheel/sudo/g' < %{SOURCE8} > %{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self +sed -e 's/wheel/sudo/g' < %{SOURCE9} > %{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules + +install -D -m 644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-group-sudo.conf %find_lang %{name} %find_lang sudoers @@ -172,10 +238,11 @@ for i in sudo sudo-i ; do test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||: done +test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave %{_sysconfdir}/sudoers ||: %endif %post -chmod 0440 %{_sysconfdir}/sudoers +[ -e %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers %if 0%{?suse_version} <= 1130 %run_permissions %else @@ -186,6 +253,8 @@ %verifyscript %verify_permissions -e %{_bindir}/sudo +%pre -n system-group-sudo -f sudo.pre + %files -f %{name}.lang %license LICENSE.md %doc %{_docdir}/%{name} @@ -203,10 +272,12 @@ %{_mandir}/man8/sudo_logsrvd.8%{?ext_man} %{_mandir}/man8/sudo_sendlog.8%{?ext_man} -%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers -%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf -%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf +%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) %{confdir}/sudoers +%attr(0750,root,root) %dir %{confdir}/sudoers.d +%{?_distconfdir:%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d} +%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf +%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf + %if %{defined _distconfdir} %{_pam_vendordir}/sudo %{_pam_vendordir}/sudo-i @@ -251,3 +322,19 @@ %files test %{_localstatedir}/lib/tests +%files policy-wheel-auth-self +%{confdir}/sudoers.d/50-wheel-auth-self +%dir /usr/share/polkit-1 +%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d +/usr/share/polkit-1/rules.d/51-wheel.rules + +%files policy-sudo-auth-self +%{confdir}/sudoers.d/50-sudo-auth-self +%dir /usr/share/polkit-1 +%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d +/usr/share/polkit-1/rules.d/51-sudo.rules + +%files -n system-group-sudo +%defattr(-,root,root) +%{_sysusersdir}/system-group-sudo.conf + ++++++ 50-wheel-auth-self.conf ++++++ Defaults:%wheel !targetpw %wheel ALL = (root) ALL ++++++ 51-wheel.rules ++++++ polkit._suse_admin_groups.push("wheel"); ++++++ sudo-1.9.14p3.tar.gz -> sudo-1.9.15p2.tar.gz ++++++ ++++ 116883 lines of diff (skipped) ++++++ sudo-sudoers.patch ++++++ --- /var/tmp/diff_new_pack.OdZPKw/_old 2023-12-05 17:02:51.416353004 +0100 +++ /var/tmp/diff_new_pack.OdZPKw/_new 2023-12-05 17:02:51.424353299 +0100 @@ -1,8 +1,8 @@ -Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in +Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in =================================================================== ---- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in -+++ sudo-1.9.14p1/plugins/sudoers/sudoers.in -@@ -32,32 +32,23 @@ +--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in ++++ sudo-1.9.15p2/plugins/sudoers/sudoers.in +@@ -41,32 +41,23 @@ ## ## Defaults specification ## @@ -52,25 +52,28 @@ ## ## Uncomment to restore the historic behavior where a command is run in ## the user's own terminal. -@@ -72,10 +63,16 @@ +@@ -81,7 +72,6 @@ ## Set maxseq to a smaller number if you don't have unlimited disk space. # Defaults log_output # Defaults!/usr/bin/sudoreplay !log_output -# Defaults!/usr/local/bin/sudoreplay !log_output # Defaults!REBOOT !log_output # Defaults maxseq = 1000 + ## +@@ -95,6 +85,12 @@ + ## slower by these options and also can clutter up the logs. + # Defaults!PKGMAN !intercept, !log_subcmds +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly -+## installed system. When configuring sudo, delete the two -+## following lines: ++## installed system. +Defaults targetpw # ask for the password of the target user i.e. root +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + ## ## Runas alias specification ## -@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL +@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL ## Same thing without a password # %wheel ALL=(ALL:ALL) NOPASSWD: ALL ++++++ system-group-sudo.conf ++++++ # Type Name ID GECOS [HOME] g sudo -