Hello community, here is the log from the commit of package yast2-sudo for openSUSE:Factory checked in at 2020-01-05 15:21:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-sudo (Old) and /work/SRC/openSUSE:Factory/.yast2-sudo.new.6675 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-sudo" Sun Jan 5 15:21:19 2020 rev:40 rq:760416 version:4.2.2 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-sudo/yast2-sudo.changes 2019-07-31 14:24:18.890374391 +0200 +++ /work/SRC/openSUSE:Factory/.yast2-sudo.new.6675/yast2-sudo.changes 2020-01-05 15:21:25.817569193 +0100 @@ -1,0 +2,7 @@ +Tue Dec 31 10:07:40 UTC 2019 - David Diaz <[email protected]> + +- Do not truncate the sudoers file after write changes + (bsc#1156929). +- 4.2.2 + +------------------------------------------------------------------- @@ -47,0 +55 @@ +- 3.1.2 @@ -52,0 +61 @@ +- 3.1.1 Old: ---- yast2-sudo-4.2.1.tar.bz2 New: ---- yast2-sudo-4.2.2.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-sudo.spec ++++++ --- /var/tmp/diff_new_pack.o8Vyt7/_old 2020-01-05 15:21:26.853569713 +0100 +++ /var/tmp/diff_new_pack.o8Vyt7/_new 2020-01-05 15:21:26.857569715 +0100 @@ -1,7 +1,7 @@ # # spec file for package yast2-sudo # -# Copyright (c) 2019 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -20,7 +20,7 @@ Summary: YaST2 - Sudo configuration License: GPL-2.0-only Group: System/YaST -Version: 4.2.1 +Version: 4.2.2 Release: 0 Url: https://github.com/yast/yast-sudo ++++++ yast2-sudo-4.2.1.tar.bz2 -> yast2-sudo-4.2.2.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.1/package/yast2-sudo.changes new/yast2-sudo-4.2.2/package/yast2-sudo.changes --- old/yast2-sudo-4.2.1/package/yast2-sudo.changes 2019-07-19 11:53:16.000000000 +0200 +++ new/yast2-sudo-4.2.2/package/yast2-sudo.changes 2020-01-02 13:53:37.000000000 +0100 @@ -1,4 +1,11 @@ ------------------------------------------------------------------- +Tue Dec 31 10:07:40 UTC 2019 - David Diaz <[email protected]> + +- Do not truncate the sudoers file after write changes + (bsc#1156929). +- 4.2.2 + +------------------------------------------------------------------- Fri Jul 19 09:49:14 UTC 2019 - David Diaz <[email protected]> - Added "BuildRequires: update-desktop-files" @@ -45,11 +52,13 @@ Thu Dec 4 09:51:39 UTC 2014 - [email protected] - remove X-KDE-Library from desktop file (bnc#899104) +- 3.1.2 ------------------------------------------------------------------- Wed Nov 13 15:56:18 UTC 2013 - [email protected] - Add explicit COPYING file +- 3.1.1 ------------------------------------------------------------------- Thu Sep 19 17:27:07 UTC 2013 - [email protected] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.1/package/yast2-sudo.spec new/yast2-sudo-4.2.2/package/yast2-sudo.spec --- old/yast2-sudo-4.2.1/package/yast2-sudo.spec 2019-07-19 11:53:16.000000000 +0200 +++ new/yast2-sudo-4.2.2/package/yast2-sudo.spec 2020-01-02 13:53:37.000000000 +0100 @@ -18,7 +18,7 @@ Name: yast2-sudo Summary: YaST2 - Sudo configuration -Version: 4.2.1 +Version: 4.2.2 Release: 0 Url: https://github.com/yast/yast-sudo Group: System/YaST diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.1/src/servers_non_y2/ag_etc_sudoers new/yast2-sudo-4.2.2/src/servers_non_y2/ag_etc_sudoers --- old/yast2-sudo-4.2.1/src/servers_non_y2/ag_etc_sudoers 2019-07-19 11:53:16.000000000 +0200 +++ new/yast2-sudo-4.2.2/src/servers_non_y2/ag_etc_sudoers 2020-01-02 13:53:37.000000000 +0100 @@ -3,6 +3,15 @@ # Author: Bubli <[email protected]> # # An agent for parsing /etc/sudoers file +# +# TODO: add support to understand and manage #include and #includedir directives. As they start with +# the pound sign ('#'), they look like a comment and are being processed as, which means +# +# * the agent doesn't know/is ignoring the configuration defined by the files supposed to be +# included +# * those directives are being included as part of the "$previous_content", formerly "$comment", +# associated with the next rule or alias found while processing the file. This is wrong since +# they must not be moved or deleted along with the rule as if they were comments. use ycp; use strict; @@ -11,148 +20,164 @@ my $filename = "/etc/sudoers"; -my @data2 = (); #= ( +# ( # "Host_Alias" => [ ["# Host Alias Specification","SERVERS", "ns, www, mail"],["","FOO", "www.foo.org"] ], # "User_Alias" => [ ["# User Alias Specification", "BAT","foobar"], ["","WWW", "wwwrun"] ], # "Cmnd_Alias" => [ ["# Command Alias Specification", "HALT", "/usr/sbin/halt, /usr/sbin/shutdown -h now,"], ["","REBOOT", "/sbin/reboot"] ], # "Runas_Alias" => [ ], -# "Defaults" => [["#Defaults specification","env_reset",""],["","always_set_home",""] ], -# 'root' => [ ["# User privilege specification", "ALL", "(ALL) ALL"] ], -# '%wheel' => [ ["# Same thing without password", "ALL", "(ALL) NOPASSWD: HALT,REBOOT"] ], +# "Defaults" => [["#Defaults specification","env_reset",""],["","always_set_home",""] ], +# 'root' => [ ["# User privilege specification", "ALL", "(ALL) ALL"] ], +# '%wheel' => [ ["# Same thing without password", "ALL", "(ALL) NOPASSWD: HALT,REBOOT"] ], # ); +my @data2 = (); - +# bsc#1156929: by original design, the loop parsing the file is discarding all lines after the last +# sudo rule found, which is no longer acceptable since there could be relevant content as directives +# like: +# +# #includedir /etc/sudoers.d +# +# which looks like a comment. +# +# So, lets keep the "rest of the file" to dump it at the end when re-writting the file. +my $rest_of_file = ""; sub parse_file { - if (!open(INFILE, $filename)) { - return 1 if ($! == ENOENT); #File doesn't exist (yet) - y2error("Could not open file $filename for reading: %1", $!); - return 0; - } - - my $comment = ""; - my $line = ""; - while (<INFILE>) { - chomp; - $line .= $_; - #a line is a comment - if ($line =~ m/^\s*$/ || $line =~ m/^#/) { - $comment .= "$_\n"; - $line = ""; - next; - } - - #a line is \-terminated multiline rule/alias - #save it and continue on the next line - if ($line =~ m/^(.*)\\$/){ - $line = $1; - next; - } - - my $alias = ""; - - my @entry2 = (); - if ($line =~ m/^(\S+)\s+(\S+)\s*=\s*([^#]*)/) { - $alias =$1; - push(@entry2, $comment, $alias, $2, $3); - } - elsif ($line =~ m/^(\S+)\s+(\S+)/) { - $alias =$1; - push(@entry2, $comment, $alias, $2); - } - - push (@data2, \@entry2); - - $comment = ""; - $line = ""; - } + if ( !open( INFILE, $filename ) ) { + return 1 if ( $! == ENOENT ); #File doesn't exist (yet) + y2error( "Could not open file $filename for reading: %1", $! ); + return 0; + } + + my $line = ""; + my $previous_content = ""; + + while (<INFILE>) { + chomp; + $line .= $_; + + # The line is empty, a comment, or a directive like "#includedir /etc/sudoers.d" + if ( $line =~ m/^\s*$/ || $line =~ m/^#/ ) { + $previous_content .= "$_\n"; + $line = ""; + next; + } + + # The line is \-terminated multiline rule/alias + # Save it and continue on the next line + if ( $line =~ m/^(.*)\\$/ ) { + $line = $1; + next; + } + + my @entry2 = (); + my $alias = ""; + + if ( $line =~ m/^(\S+)\s+(\S+)\s*=\s*([^#]*)/ ) { + $alias = $1; + push( @entry2, $previous_content, $alias, $2, $3 ); + } elsif ( $line =~ m/^(\S+)\s+(\S+)/ ) { + $alias = $1; + push( @entry2, $previous_content, $alias, $2 ); + } + + push( @data2, \@entry2 ); + + $line = ""; + $previous_content = ""; + } - close (INFILE); - return 1; + # Keep the content after last rule found + $rest_of_file = $previous_content; + + close(INFILE); + return 1; } sub store_line { - my $line = $_[0]; - my ($comment, $type, $name, $members) = @{$line}; + my $line = $_[0]; + my ( $previous_content, $type, $name, $members ) = @{$line}; - if($comment){ - print OUTFILE $comment; - } - if($members) { - print OUTFILE $type,"\t", $name, " = ", $members, "\n"; - } - else { - print OUTFILE $type,"\t", $name,"\n"; - } + if ($previous_content) { + print OUTFILE $previous_content; + } + + if ($members) { + print OUTFILE $type, "\t", $name, " = ", $members, "\n"; + } else { + print OUTFILE $type, "\t", $name, "\n"; + } } sub store_file { + open( OUTFILE, ">$filename.YaST2.new" ) + or return y2error( "Could not open file $filename.YaST2.new for writing: %1", $! ), 0; + + # Write the data content + foreach my $line (@data2) { + store_line($line); - open(OUTFILE,">$filename.YaST2.new") - or return y2error("Could not open file $filename.YaST2.new for writing: %1", $!), 0; - - #Dump the rest - foreach my $line (@data2) { - store_line($line); - #delete($data{$key}); - } - - close(OUTFILE); - - #try syntax checking - non-zero return value of system() means failure - # supress any output of visudo command, otherwise YaST thinks agent is exiting - my $status = system ("visudo -cqf $filename.YaST2.new >/dev/null 2>&1"); - if ($status != 0){ - return y2error("Syntax error in $filename.YaST2.new"), 0; - } - - if (-f $filename) { - rename $filename, "$filename.YaST2.save" or return y2error("Error creating backup: $!"), 0; - } - rename "$filename.YaST2.new", $filename or return y2error("Error moving temp file: $!"), 0; - - #Save /etc/sudoers with 0440 access rights - FaTE #300934 - chmod(0440,$filename); - return 1; -} + #delete($data{$key}); + } + + # Dump comments and directives previously found after last rule + print OUTFILE $rest_of_file; + + close(OUTFILE); + + # Try syntax checking - non-zero return value of system() means failure + # supress any output of visudo command, otherwise YaST thinks agent is exiting + my $status = system("visudo -cqf $filename.YaST2.new >/dev/null 2>&1"); + + if ( $status != 0 ) { + return y2error("Syntax error in $filename.YaST2.new"), 0; + } + + if ( -f $filename ) { + rename $filename, "$filename.YaST2.save" + or return y2error("Error creating backup: $!"), 0; + } + + rename "$filename.YaST2.new", $filename + or return y2error("Error moving temp file: $!"), 0; + + # Save /etc/sudoers with 0440 access rights - FaTE #300934 + chmod( 0440, $filename ); + return 1; +} -#parse whole file at once, fill in %data structure +# Parse the whole file at once, fill in %data structure parse_file(); -#main loop -while ( <STDIN> ) { - my ($command, $path, $argument) = ycp::ParseCommand ($_); - - if($command eq "Read") { - ycp::Return(\@data2); - } - - elsif($command eq "Write") { - my $result = "true"; - if ($path eq "." && ref($argument) eq "ARRAY") { - @data2 = @{$argument}; - } - elsif ($path eq "." && !defined($argument)) { - $result = store_file() ? "true" : "false"; - } - else { - y2error("Invalid path $path, or argument:", ref($argument)); - $result = "false"; - } - - ycp::Return($result); - } - - elsif ($command eq "result") { - exit; - } - - else { - y2error("Unknown instruction $command, or argument:", ref ($argument)); - ycp::Return("false"); - } +# Main loop +while (<STDIN>) { + my ( $command, $path, $argument ) = ycp::ParseCommand($_); + + if ( $command eq "Read" ) { + ycp::Return( \@data2 ); + + } elsif ( $command eq "Write" ) { + my $result = "true"; + if ( $path eq "." && ref($argument) eq "ARRAY" ) { + @data2 = @{$argument}; + } elsif ( $path eq "." && !defined($argument) ) { + $result = store_file() ? "true" : "false"; + } else { + y2error( "Invalid path $path, or argument:", ref($argument) ); + $result = "false"; + } + + ycp::Return($result); + + } elsif ( $command eq "result" ) { + exit; + + } else { + y2error( "Unknown instruction $command, or argument:", ref($argument) ); + ycp::Return("false"); + } } -#Debug only ! -#print STDERR Dumper(\@data2); +# Debug only ! +# print STDERR Dumper(\@data2);
