Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package sudo for openSUSE:Factory checked in 
at 2023-12-05 17:02:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/sudo (Old)
 and      /work/SRC/openSUSE:Factory/.sudo.new.25432 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "sudo"

Tue Dec  5 17:02:24 2023 rev:149 rq:1128361 version:1.9.15p2

Changes:
--------
--- /work/SRC/openSUSE:Factory/sudo/sudo.changes        2023-09-13 
20:43:41.480219004 +0200
+++ /work/SRC/openSUSE:Factory/.sudo.new.25432/sudo.changes     2023-12-05 
17:02:49.084267043 +0100
@@ -1,0 +2,95 @@
+Wed Nov 22 12:46:00 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Update to 1.9.15p2:
+  * Fixed a bug on BSD systems where sudo would not restore the
+    terminal settings on exit if the terminal had parity enabled.
+    GitHub issue #326.
+- Update to 1.9.15p1:
+  * Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
+    sudoers from being able to read the ldap.conf file.
+    GitHub issue #325.
+- Update to 1.9.15:
+  * Fixed an undefined symbol problem on older versions of macOS
+    when "intercept" or "log_subcmds" are enabled in sudoers.
+    GitHub issue #276.
+  * Fixed "make check" failure related to getpwent(3) wrapping
+    on NetBSD.
+  * Fixed the warning message for "sudo -l command" when the command
+    is not permitted.  There was a missing space between "list" and
+    the actual command due to changes in sudo 1.9.14.
+  * Fixed a bug where output could go to the wrong terminal if
+    "use_pty" is enabled (the default) and the standard input, output
+    or error is redirected to a different terminal.  Bug #1056.
+  * The visudo utility will no longer create an empty file when the
+    specified sudoers file does not exist and the user exits the
+    editor without making any changes.  GitHub issue #294.
+  * The AIX and Solaris sudo packages on www.sudo.ws now support
+    "log_subcmds" and "intercept" with both 32-bit and 64-bit
+    binaries.  Previously, they only worked when running binaries
+    with the same word size as the sudo binary.  GitHub issue #289.
+  * The sudoers source is now logged in the JSON event log.  This
+    makes it possible to tell which rule resulted in a match.
+  * Running "sudo -ll command" now produces verbose output that
+    includes matching rule as well as the path to the sudoers file
+    the matching rule came from.  For LDAP sudoers, the name of the
+    matching sudoRole is printed instead.
+  * The embedded copy of zlib has been updated to version 1.3.
+  * The sudoers plugin has been modified to make it more resilient
+    to ROWHAMMER attacks on authentication and policy matching.
+    This addresses CVE-2023-42465.
+  * The sudoers plugin now constructs the user time stamp file path
+    name using the user-ID instead of the user name.  This avoids a
+    potential problem with user names that contain a path separator
+    ('/') being interpreted as part of the path name.  A similar
+    issue in sudo-rs has been assigned CVE-2023-42456.
+  * A path separator ('/') in a user, group or host name is now
+    replaced with an underbar character ('_') when expanding escapes
+    in @include and @includedir directives as well as the "iolog_file"
+    and "iolog_dir" sudoers Default settings.
+  * The "intercept_verify" sudoers option is now only applied when
+    the "intercept" option is set in sudoers.  Previously, it was
+    also applied when "log_subcmds" was enabled.  Sudo 1.9.14
+    contained an incorrect fix for this.  Bug #1058.
+  * Changes to terminal settings are now performed atomically, where
+    possible.  If the command is being run in a pseudo-terminal and
+    the user's terminal is already in raw mode, sudo will not change
+    the user's terminal settings.  This prevents concurrent sudo
+    processes from restoring the terminal settings to the wrong values.
+    GitHub issue #312.
+  * Reverted a change from sudo 1.9.4 that resulted in PAM session
+    modules being called with the environment of the command to be
+    run instead of the environment of the invoking user.
+    GitHub issue #318.
+  * New Indonesian translation from translationproject.org.
+  * The sudo_logsrvd server will now raise its open file descriptor
+    limit to the maximum allowed value when it starts up.  Each
+    connection can require up to nine open file descriptors so the
+    default soft limit may be too low.
+  * Better log message when rejecting a command if the "intercept"
+    option is enabled and the "intercept_allow_setid" option is
+    disabled.  Previously, "command not allowed" would be logged and
+    the user had no way of knowing what the actual problem was.
+  * Sudo will now log the invoking user's environment as "submitenv"
+    in the JSON logs.  The command's environment ("runenv") is no
+    longer logged for commands rejected by the sudoers file or an
+    approval plugin.
+
+-------------------------------------------------------------------
+Tue Nov 21 08:56:42 UTC 2023 - Dominique Leuenberger <dims...@opensuse.org>
+
+- Package/ship empty /etc/sudoers.d directory for admins to
+  discover where to put their won config.
+
+-------------------------------------------------------------------
+Wed Sep 20 08:34:12 UTC 2023 - Ludwig Nussel <lnus...@suse.com>
+
+- Introduce optional wheel and sudo group policies as separate packages
+  (bsc#1203978, jsc#PED-260)
+
+-------------------------------------------------------------------
+Wed Sep 14 13:06:51 UTC 2023 - Otto Hollmann <otto.hollm...@suse.com>
+
+- Install config files into /usr/etc and read from both location:
+  /etc and /usr/etc (bsc#1205118)
+
+-------------------------------------------------------------------

Old:
----
  sudo-1.9.14p3.tar.gz
  sudo-1.9.14p3.tar.gz.sig

New:
----
  50-wheel-auth-self.conf
  51-wheel.rules
  sudo-1.9.15p2.tar.gz
  sudo-1.9.15p2.tar.gz.sig
  system-group-sudo.conf

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ sudo.spec ++++++
--- /var/tmp/diff_new_pack.OdZPKw/_old  2023-12-05 17:02:50.424316437 +0100
+++ /var/tmp/diff_new_pack.OdZPKw/_new  2023-12-05 17:02:50.428316585 +0100
@@ -16,8 +16,16 @@
 #
 
 
+%if %{defined _distconfdir}
+%define confdir %{_distconfdir}
+%define confmode 0444
+%else
+%define confdir %{_sysconfdir}
+%define confmode 0440
+%endif
+
 Name:           sudo
-Version:        1.9.14p3
+Version:        1.9.15p2
 Release:        0
 Summary:        Execute some commands as root
 License:        ISC
@@ -31,6 +39,9 @@
 Source5:        README.SUSE
 Source6:        fate_313276_test.sh
 Source7:        README_313276.test
+Source8:        50-wheel-auth-self.conf
+Source9:        51-wheel.rules
+Source10:       system-group-sudo.conf
 # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
 Patch0:         sudo-sudoers.patch
 BuildRequires:  audit-devel
@@ -42,6 +53,7 @@
 BuildRequires:  pam-devel
 BuildRequires:  python3-devel
 BuildRequires:  systemd-rpm-macros
+BuildRequires:  sysuser-tools
 BuildRequires:  zlib-devel
 Requires(pre):  coreutils
 Requires(pre):  permissions
@@ -49,12 +61,17 @@
 
 %description
 Sudo is a command that allows users to execute some commands as root.
-The %{_sysconfdir}/sudoers file (edited with 'visudo') specifies which users 
have
+%if %{defined _distconfdir}
+Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers
+(in that order, whichever one it finds first), to determine what users have
+%else
+The %{_sysconfdir}/sudoers file specifies which users have
+%endif
 access to sudo and which commands they can run. Sudo logs all its
 activities to syslogd, so the system administrator can keep an eye on
-things. Sudo asks for the password for initializing a check period of a
+things. Sudo asks for the password to initialize a check period of a
 given time N (where N is defined at installation and is set to 5
-minutes by default).
+minutes by default). Administrators can edit the sudoers file with 'visudo'.
 
 %package plugin-python
 Summary:        Plugin API for python
@@ -82,10 +99,39 @@
 %description test
 Tests for fate#313276
 
+%package policy-wheel-auth-self
+Summary:        Users in the wheel group can authenticate as admin
+Group:          System/Base
+Requires:       %{name} = %{version}
+Requires:       group(wheel)
+
+%description policy-wheel-auth-self
+Sudo authentication policy that allows users in the wheel group to
+authenticate as root with their own password
+
+%package policy-sudo-auth-self
+Summary:        Users in the sudo group can authenticate as admin
+Group:          System/Base
+Requires:       %{name} = %{version}
+Requires:       group(sudo)
+
+%description policy-sudo-auth-self
+Sudo authentication policy that allows users in the sudo group to
+authenticate as root with their own password
+
+%package -n system-group-sudo
+Summary:        System group 'sudo'
+Group:          System/Fhs
+%{sysusers_requires}
+
+%description -n system-group-sudo
+This package provides the system group 'sudo'.
+
 %prep
 %autosetup -p1
 
 %build
+%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf
 %ifarch s390 s390x %{sparc}
 F_PIE=-fPIE
 %else
@@ -98,6 +144,11 @@
     --docdir=%{_docdir}/%{name} \
     --with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
     --enable-tmpfiles.d=%{_tmpfilesdir} \
+%if %{defined _distconfdir}
+    --prefix=/usr \
+    --sysconfdir=%{_distconfdir} \
+    --enable-adminconf=%{_sysconfdir} \
+%endif
     --with-pam \
     --with-pam-login \
     --with-ldap \
@@ -147,7 +198,22 @@
 rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
 rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
 rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
-rm -f %{buildroot}%{_sysconfdir}/sudoers.dist
+rm -f %{buildroot}%{confdir}/sudoers.dist
+
+%if %{defined _distconfdir}
+# Move /etc to /usr/etc/
+mkdir -p %{buildroot}%{_distconfdir}/sudoers.d 
%{buildroot}%{_sysconfdir}/sudoers.d
+chmod 644 %{buildroot}%{_distconfdir}/sudoers
+echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers
+%endif
+
+install -D -m 644 %{SOURCE8} 
%{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self
+install -D -m 644 %{SOURCE9} 
%{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules
+
+sed -e 's/wheel/sudo/g' < %{SOURCE8} > 
%{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self
+sed -e 's/wheel/sudo/g' < %{SOURCE9} > 
%{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules
+
+install -D -m 644 %{SOURCE10} 
%{buildroot}%{_sysusersdir}/system-group-sudo.conf
 
 %find_lang %{name}
 %find_lang sudoers
@@ -172,10 +238,11 @@
 for i in  sudo sudo-i ; do
   test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v 
%{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
 done
+test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave 
%{_sysconfdir}/sudoers ||:
 %endif
 
 %post
-chmod 0440 %{_sysconfdir}/sudoers
+[ -e  %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers
 %if 0%{?suse_version} <= 1130
 %run_permissions
 %else
@@ -186,6 +253,8 @@
 %verifyscript
 %verify_permissions -e %{_bindir}/sudo
 
+%pre -n system-group-sudo -f sudo.pre
+
 %files -f %{name}.lang
 %license LICENSE.md
 %doc %{_docdir}/%{name}
@@ -203,10 +272,12 @@
 %{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
 %{_mandir}/man8/sudo_sendlog.8%{?ext_man}
 
-%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
-%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf
+%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) 
%{confdir}/sudoers
+%attr(0750,root,root) %dir %{confdir}/sudoers.d
+%{?_distconfdir:%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d}
+%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf
+%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf
+
 %if %{defined _distconfdir}
 %{_pam_vendordir}/sudo
 %{_pam_vendordir}/sudo-i
@@ -251,3 +322,19 @@
 %files test
 %{_localstatedir}/lib/tests
 
+%files policy-wheel-auth-self
+%{confdir}/sudoers.d/50-wheel-auth-self
+%dir /usr/share/polkit-1
+%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
+/usr/share/polkit-1/rules.d/51-wheel.rules
+
+%files policy-sudo-auth-self
+%{confdir}/sudoers.d/50-sudo-auth-self
+%dir /usr/share/polkit-1
+%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
+/usr/share/polkit-1/rules.d/51-sudo.rules
+
+%files -n system-group-sudo
+%defattr(-,root,root)
+%{_sysusersdir}/system-group-sudo.conf
+

++++++ 50-wheel-auth-self.conf ++++++
Defaults:%wheel !targetpw
%wheel ALL = (root) ALL

++++++ 51-wheel.rules ++++++
polkit._suse_admin_groups.push("wheel");

++++++ sudo-1.9.14p3.tar.gz -> sudo-1.9.15p2.tar.gz ++++++
++++ 116883 lines of diff (skipped)

++++++ sudo-sudoers.patch ++++++
--- /var/tmp/diff_new_pack.OdZPKw/_old  2023-12-05 17:02:51.416353004 +0100
+++ /var/tmp/diff_new_pack.OdZPKw/_new  2023-12-05 17:02:51.424353299 +0100
@@ -1,8 +1,8 @@
-Index: sudo-1.9.14p1/plugins/sudoers/sudoers.in
+Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in
 ===================================================================
---- sudo-1.9.14p1.orig/plugins/sudoers/sudoers.in
-+++ sudo-1.9.14p1/plugins/sudoers/sudoers.in
-@@ -32,32 +32,23 @@
+--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in
++++ sudo-1.9.15p2/plugins/sudoers/sudoers.in
+@@ -41,32 +41,23 @@
  ##
  ## Defaults specification
  ##
@@ -52,25 +52,28 @@
  ##
  ## Uncomment to restore the historic behavior where a command is run in
  ## the user's own terminal.
-@@ -72,10 +63,16 @@
+@@ -81,7 +72,6 @@
  ## Set maxseq to a smaller number if you don't have unlimited disk space.
  # Defaults log_output
  # Defaults!/usr/bin/sudoreplay !log_output
 -# Defaults!/usr/local/bin/sudoreplay !log_output
  # Defaults!REBOOT !log_output
  # Defaults maxseq = 1000
+ ##
+@@ -95,6 +85,12 @@
+ ## slower by these options and also can clutter up the logs.
+ # Defaults!PKGMAN !intercept, !log_subcmds
  
 +## In the default (unconfigured) configuration, sudo asks for the root 
password.
 +## This allows use of an ordinary user account for administration of a freshly
-+## installed system. When configuring sudo, delete the two
-+## following lines:
++## installed system.
 +Defaults targetpw   # ask for the password of the target user i.e. root
 +ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults 
targetpw'!
 +
  ##
  ## Runas alias specification
  ##
-@@ -91,13 +88,5 @@ root ALL=(ALL:ALL) ALL
+@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL
  ## Same thing without a password
  # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
  

++++++ system-group-sudo.conf ++++++
# Type Name ID GECOS [HOME]
g sudo -

Reply via email to