Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package sudo for openSUSE:Factory checked in
at 2023-12-05 17:02:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sudo (Old)
and /work/SRC/openSUSE:Factory/.sudo.new.25432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo"
Tue Dec 5 17:02:24 2023 rev:149 rq:1128361 version:1.9.15p2
Changes:
--------
--- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2023-09-13
20:43:41.480219004 +0200
+++ /work/SRC/openSUSE:Factory/.sudo.new.25432/sudo.changes 2023-12-05
17:02:49.084267043 +0100
@@ -1,0 +2,95 @@
+Wed Nov 22 12:46:00 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Update to 1.9.15p2:
+ * Fixed a bug on BSD systems where sudo would not restore the
+ terminal settings on exit if the terminal had parity enabled.
+ GitHub issue #326.
+- Update to 1.9.15p1:
+ * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
+ sudoers from being able to read the ldap.conf file.
+ GitHub issue #325.
+- Update to 1.9.15:
+ * Fixed an undefined symbol problem on older versions of macOS
+ when "intercept" or "log_subcmds" are enabled in sudoers.
+ GitHub issue #276.
+ * Fixed "make check" failure related to getpwent(3) wrapping
+ on NetBSD.
+ * Fixed the warning message for "sudo -l command" when the command
+ is not permitted. There was a missing space between "list" and
+ the actual command due to changes in sudo 1.9.14.
+ * Fixed a bug where output could go to the wrong terminal if
+ "use_pty" is enabled (the default) and the standard input, output
+ or error is redirected to a different terminal. Bug #1056.
+ * The visudo utility will no longer create an empty file when the
+ specified sudoers file does not exist and the user exits the
+ editor without making any changes. GitHub issue #294.
+ * The AIX and Solaris sudo packages on www.sudo.ws now support
+ "log_subcmds" and "intercept" with both 32-bit and 64-bit
+ binaries. Previously, they only worked when running binaries
+ with the same word size as the sudo binary. GitHub issue #289.
+ * The sudoers source is now logged in the JSON event log. This
+ makes it possible to tell which rule resulted in a match.
+ * Running "sudo -ll command" now produces verbose output that
+ includes matching rule as well as the path to the sudoers file
+ the matching rule came from. For LDAP sudoers, the name of the
+ matching sudoRole is printed instead.
+ * The embedded copy of zlib has been updated to version 1.3.
+ * The sudoers plugin has been modified to make it more resilient
+ to ROWHAMMER attacks on authentication and policy matching.
+ This addresses CVE-2023-42465.
+ * The sudoers plugin now constructs the user time stamp file path
+ name using the user-ID instead of the user name. This avoids a
+ potential problem with user names that contain a path separator
+ ('/') being interpreted as part of the path name. A similar
+ issue in sudo-rs has been assigned CVE-2023-42456.
+ * A path separator ('/') in a user, group or host name is now
+ replaced with an underbar character ('_') when expanding escapes
+ in @include and @includedir directives as well as the "iolog_file"
+ and "iolog_dir" sudoers Default settings.
+ * The "intercept_verify" sudoers option is now only applied when
+ the "intercept" option is set in sudoers. Previously, it was
+ also applied when "log_subcmds" was enabled. Sudo 1.9.14
+ contained an incorrect fix for this. Bug #1058.
+ * Changes to terminal settings are now performed atomically, where
+ possible. If the command is being run in a pseudo-terminal and
+ the user's terminal is already in raw mode, sudo will not change
+ the user's terminal settings. This prevents concurrent sudo
+ processes from restoring the terminal settings to the wrong values.
+ GitHub issue #312.
+ * Reverted a change from sudo 1.9.4 that resulted in PAM session
+ modules being called with the environment of the command to be
+ run instead of the environment of the invoking user.
+ GitHub issue #318.
+ * New Indonesian translation from translationproject.org.
+ * The sudo_logsrvd server will now raise its open file descriptor
+ limit to the maximum allowed value when it starts up. Each
+ connection can require up to nine open file descriptors so the
+ default soft limit may be too low.
+ * Better log message when rejecting a command if the "intercept"
+ option is enabled and the "intercept_allow_setid" option is
+ disabled. Previously, "command not allowed" would be logged and
+ the user had no way of knowing what the actual problem was.
+ * Sudo will now log the invoking user's environment as "submitenv"
+ in the JSON logs. The command's environment ("runenv") is no
+ longer logged for commands rejected by the sudoers file or an
+ approval plugin.
+
+-------------------------------------------------------------------
+Tue Nov 21 08:56:42 UTC 2023 - Dominique Leuenberger <dims...@opensuse.org>
+
+- Package/ship empty /etc/sudoers.d directory for admins to
+ discover where to put their won config.
+
+-------------------------------------------------------------------
+Wed Sep 20 08:34:12 UTC 2023 - Ludwig Nussel <lnus...@suse.com>
+
+- Introduce optional wheel and sudo group policies as separate packages
+ (bsc#1203978, jsc#PED-260)
+
+-------------------------------------------------------------------
+Wed Sep 14 13:06:51 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Install config files into /usr/etc and read from both location:
+ /etc and /usr/etc (bsc#1205118)
+
+-------------------------------------------------------------------
Old:
----
sudo-1.9.14p3.tar.gz
sudo-1.9.14p3.tar.gz.sig
New:
----
50-wheel-auth-self.conf
51-wheel.rules
sudo-1.9.15p2.tar.gz
sudo-1.9.15p2.tar.gz.sig
system-group-sudo.conf
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.OdZPKw/_old 2023-12-05 17:02:50.424316437 +0100
+++ /var/tmp/diff_new_pack.OdZPKw/_new 2023-12-05 17:02:50.428316585 +0100
@@ -16,8 +16,16 @@
#
+%if %{defined _distconfdir}
+%define confdir %{_distconfdir}
+%define confmode 0444
+%else
+%define confdir %{_sysconfdir}
+%define confmode 0440
+%endif
+
Name: sudo
-Version: 1.9.14p3
+Version: 1.9.15p2
Release: 0
Summary: Execute some commands as root
License: ISC
@@ -31,6 +39,9 @@
Source5: README.SUSE
Source6: fate_313276_test.sh
Source7: README_313276.test
+Source8: 50-wheel-auth-self.conf
+Source9: 51-wheel.rules
+Source10: system-group-sudo.conf
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch0: sudo-sudoers.patch
BuildRequires: audit-devel
@@ -42,6 +53,7 @@
BuildRequires: pam-devel
BuildRequires: python3-devel
BuildRequires: systemd-rpm-macros
+BuildRequires: sysuser-tools
BuildRequires: zlib-devel
Requires(pre): coreutils
Requires(pre): permissions
@@ -49,12 +61,17 @@
%description
Sudo is a command that allows users to execute some commands as root.
-The %{_sysconfdir}/sudoers file (edited with 'visudo') specifies which users
have
+%if %{defined _distconfdir}
+Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers
+(in that order, whichever one it finds first), to determine what users have
+%else
+The %{_sysconfdir}/sudoers file specifies which users have
+%endif
access to sudo and which commands they can run. Sudo logs all its
activities to syslogd, so the system administrator can keep an eye on
-things. Sudo asks for the password for initializing a check period of a
+things. Sudo asks for the password to initialize a check period of a
given time N (where N is defined at installation and is set to 5
-minutes by default).
+minutes by default). Administrators can edit the sudoers file with 'visudo'.
%package plugin-python
Summary: Plugin API for python
@@ -82,10 +99,39 @@
%description test
Tests for fate#313276
+%package policy-wheel-auth-self
+Summary: Users in the wheel group can authenticate as admin
+Group: System/Base
+Requires: %{name} = %{version}
+Requires: group(wheel)
+
+%description policy-wheel-auth-self
+Sudo authentication policy that allows users in the wheel group to
+authenticate as root with their own password
+
+%package policy-sudo-auth-self
+Summary: Users in the sudo group can authenticate as admin
+Group: System/Base
+Requires: %{name} = %{version}
+Requires: group(sudo)
+
+%description policy-sudo-auth-self
+Sudo authentication policy that allows users in the sudo group to
+authenticate as root with their own password
+
+%package -n system-group-sudo
+Summary: System group 'sudo'
+Group: System/Fhs
+%{sysusers_requires}
+
+%description -n system-group-sudo
+This package provides the system group 'sudo'.
+
%prep
%autosetup -p1
%build
+%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf
%ifarch s390 s390x %{sparc}
F_PIE=-fPIE
%else
@@ -98,6 +144,11 @@
--docdir=%{_docdir}/%{name} \
--with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
--enable-tmpfiles.d=%{_tmpfilesdir} \
+%if %{defined _distconfdir}
+ --prefix=/usr \
+ --sysconfdir=%{_distconfdir} \
+ --enable-adminconf=%{_sysconfdir} \
+%endif
--with-pam \
--with-pam-login \
--with-ldap \
@@ -147,7 +198,22 @@
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
-rm -f %{buildroot}%{_sysconfdir}/sudoers.dist
+rm -f %{buildroot}%{confdir}/sudoers.dist
+
+%if %{defined _distconfdir}
+# Move /etc to /usr/etc/
+mkdir -p %{buildroot}%{_distconfdir}/sudoers.d
%{buildroot}%{_sysconfdir}/sudoers.d
+chmod 644 %{buildroot}%{_distconfdir}/sudoers
+echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers
+%endif
+
+install -D -m 644 %{SOURCE8}
%{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self
+install -D -m 644 %{SOURCE9}
%{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules
+
+sed -e 's/wheel/sudo/g' < %{SOURCE8} >
%{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self
+sed -e 's/wheel/sudo/g' < %{SOURCE9} >
%{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules
+
+install -D -m 644 %{SOURCE10}
%{buildroot}%{_sysusersdir}/system-group-sudo.conf
%find_lang %{name}
%find_lang sudoers
@@ -172,10 +238,11 @@
for i in sudo sudo-i ; do
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v
%{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
done
+test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave
%{_sysconfdir}/sudoers ||:
%endif
%post
-chmod 0440 %{_sysconfdir}/sudoers
+[ -e %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers
%if 0%{?suse_version} <= 1130
%run_permissions
%else
@@ -186,6 +253,8 @@
%verifyscript
%verify_permissions -e %{_bindir}/sudo
+%pre -n system-group-sudo -f sudo.pre
+
%files -f %{name}.lang
%license LICENSE.md
%doc %{_docdir}/%{name}
@@ -203,10 +272,12 @@
%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
%{_mandir}/man8/sudo_sendlog.8%{?ext_man}
-%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
-%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf
+%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root)
%{confdir}/sudoers
+%attr(0750,root,root) %dir %{confdir}/sudoers.d
+%{?_distconfdir:%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d}
+%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf
+%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf
+
%if %{defined _distconfdir}
%{_pam_vendordir}/sudo
%{_pam_vendordir}/sudo-i
@@ -251,3 +322,19 @@
%files test
%{_localstatedir}/lib/tests
+%files policy-wheel-auth-self
+%{confdir}/sudoers.d/50-wheel-auth-self
+%dir /usr/share/polkit-1
+%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
+/usr/share/polkit-1/rules.d/51-wheel.rules
+
+%files policy-sudo-auth-self
+%{confdir}/sudoers.d/50-sudo-auth-self
+%dir /usr/share/polkit-1
+%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
+/usr/share/polkit-1/rules.d/51-sudo.rules
+
+%files -n system-group-sudo
+%defattr(-,root,root)
+%{_sysusersdir}/system-group-sudo.conf
+
++++++ 50-wheel-auth-self.conf ++++++
Defaults:%wheel !targetpw
%wheel ALL = (root) ALL
++++++ 51-wheel.rules ++++++
polkit._suse_admin_groups.push("wheel");
++++++ sudo-1.9.14p3.tar.gz -> sudo-1.9.15p2.tar.gz ++++++
++++ 116883 lines of diff (skipped)
++++++ sudo-sudoers.patch ++++++
--- /var/tmp/diff_new_pack.OdZPKw/_old 2023-12-05 17:02:51.416353004 +0100
+++ /var/tmp/diff_new_pack.OdZPKw/_new 2023-12-05 17:02:51.424353299 +0100
@@ -1,8 +1,8 @@
-Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in
+Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in
===================================================================
---- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.9.14p1/plugins/sudoers/sudoers.in
-@@ -32,32 +32,23 @@
+--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in
++++ sudo-1.9.15p2/plugins/sudoers/sudoers.in
+@@ -41,32 +41,23 @@
##
## Defaults specification
##
@@ -52,25 +52,28 @@
##
## Uncomment to restore the historic behavior where a command is run in
## the user's own terminal.
-@@ -72,10 +63,16 @@
+@@ -81,7 +72,6 @@
## Set maxseq to a smaller number if you don't have unlimited disk space.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
# Defaults maxseq = 1000
+ ##
+@@ -95,6 +85,12 @@
+ ## slower by these options and also can clutter up the logs.
+ # Defaults!PKGMAN !intercept, !log_subcmds
+## In the default (unconfigured) configuration, sudo asks for the root
password.
+## This allows use of an ordinary user account for administration of a freshly
-+## installed system. When configuring sudo, delete the two
-+## following lines:
++## installed system.
+Defaults targetpw # ask for the password of the target user i.e. root
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults
targetpw'!
+
##
## Runas alias specification
##
-@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL
+@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
++++++ system-group-sudo.conf ++++++
# Type Name ID GECOS [HOME]
g sudo -
