Hello community, here is the log from the commit of package yast2-sudo for openSUSE:Factory checked in at 2020-10-18 16:20:28 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/yast2-sudo (Old) and /work/SRC/openSUSE:Factory/.yast2-sudo.new.3486 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "yast2-sudo" Sun Oct 18 16:20:28 2020 rev:42 rq:840425 version:4.3.0 Changes: -------- --- /work/SRC/openSUSE:Factory/yast2-sudo/yast2-sudo.changes 2020-03-01 21:26:55.436423616 +0100 +++ /work/SRC/openSUSE:Factory/.yast2-sudo.new.3486/yast2-sudo.changes 2020-10-18 16:20:35.156468516 +0200 @@ -1,0 +2,10 @@ +Thu Oct 8 14:43:17 UTC 2020 - Josef Reidinger <jreidin...@suse.com> + +- Support @include(-dir) directives +- Support alternative name Cmd_Alias +- report properly if yast2-sudo cannot read some configuration +- improve error report if syntax failed after write + (related to bsc#1156929) +- 4.3.0 + +------------------------------------------------------------------- Old: ---- yast2-sudo-4.2.3.tar.bz2 New: ---- yast2-sudo-4.3.0.tar.bz2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ yast2-sudo.spec ++++++ --- /var/tmp/diff_new_pack.FP7wxh/_old 2020-10-18 16:20:35.696468756 +0200 +++ /var/tmp/diff_new_pack.FP7wxh/_new 2020-10-18 16:20:35.700468758 +0200 @@ -1,7 +1,7 @@ # # spec file for package yast2-sudo # -# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2020 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -12,7 +12,7 @@ # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. -# Please submit bugfixes or comments via http://bugs.opensuse.org/ +# Please submit bugfixes or comments via https://bugs.opensuse.org/ # @@ -20,9 +20,9 @@ Summary: YaST2 - Sudo configuration License: GPL-2.0-only Group: System/YaST -Version: 4.2.3 +Version: 4.3.0 Release: 0 -Url: https://github.com/yast/yast-sudo +URL: https://github.com/yast/yast-sudo Source0: %{name}-%{version}.tar.bz2 @@ -35,7 +35,8 @@ BuildRequires: yast2 BuildRequires: yast2-devtools >= 4.2.2 BuildRequires: yast2-users -BuildRequires: rubygem(yast-rake) +BuildRequires: rubygem(%rb_default_ruby_abi:rspec) +BuildRequires: rubygem(%rb_default_ruby_abi:yast-rake) BuildArch: noarch ++++++ yast2-sudo-4.2.3.tar.bz2 -> yast2-sudo-4.3.0.tar.bz2 ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/.coveralls.yml new/yast2-sudo-4.3.0/.coveralls.yml --- old/yast2-sudo-4.2.3/.coveralls.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/.coveralls.yml 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1 @@ +service_name: travis-ci diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/.travis.yml new/yast2-sudo-4.3.0/.travis.yml --- old/yast2-sudo-4.2.3/.travis.yml 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/.travis.yml 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,11 @@ +sudo: required +language: bash +services: + - docker + +before_install: + - docker build -t yast-sudo-image . +script: + # the "yast-travis-ruby" script is included in the base yastdevel/ruby image + # see https://github.com/yast/docker-yast-ruby/blob/master/yast-travis-ruby + - docker run -it -e TRAVIS=1 -e TRAVIS_JOB_ID="$TRAVIS_JOB_ID" yast-sudo-image yast-travis-ruby diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/CONTRIBUTING.md new/yast2-sudo-4.3.0/CONTRIBUTING.md --- old/yast2-sudo-4.2.3/CONTRIBUTING.md 2020-02-19 10:51:08.000000000 +0100 +++ new/yast2-sudo-4.3.0/CONTRIBUTING.md 1970-01-01 01:00:00.000000000 +0100 @@ -1,89 +0,0 @@ -YaST Contribution Guidelines -============================ - -YaST is an open source project and as such it welcomes all kinds of -contributions. If you decide to contribute, please follow these guidelines to -ensure the process is effective and pleasant both for you and the YaST maintainers. - -There are two main forms of contribution: reporting bugs and performing code -changes. - -Bug Reports ------------ - -If you find a problem, please report it either using -[Bugzilla](https://bugzilla.suse.com/enter_bug.cgi?format=guided&product=openSUSE+Factory&component=YaST2) -or [GitHub issues](../../issues). (For Bugzilla, use the [simplified -registration](https://secure-www.novell.com/selfreg/jsp/createSimpleAccount.jsp) -if you don't have an account yet.) - -When creating a bug report, please follow our [bug reporting -guidelines](http://en.opensuse.org/openSUSE:Report_a_YaST_bug). - -We can't guarantee that every bug will be fixed, but we'll try. - -Code Changes ------------- - -We welcome all kinds of code contributions, from simple bug fixes to significant -refactorings and implementation of new features. However, before making any -non-trivial contribution, get in touch with us first — this can prevent wasted -effort on both sides. Also, have a look at our [development -documentation](http://en.opensuse.org/openSUSE:YaST_development). - -To send us your code change, use GitHub pull requests. The workflow is as -follows: - - 1. Fork the project. - - 2. Create a topic branch based on `master`. - - 3. Implement your change, including tests (if possible). Make sure you adhere - to the [Ruby style - guide](https://github.com/SUSE/style-guides/blob/master/Ruby.md). - - 4. Update the package version (in `packages/*.spec`, usually by - `rake version:bump`) and add a new entry to the `package/*.changes` file - (by `osc vc package`). - For bigger changes or changes which need longer discussion it is advised to - add this as a separate last commit so it can be easily updated when another - change is merged in the meantime. - - 5. Make sure your change didn't break anything by building the RPM package - (`rake osc:build`). The build process includes running the full testsuite. - - 6. Publish the branch and create a pull request. - - 7. YaST developers will review your change and possibly point out issues. - Adapt the code under their guidance until they are all resolved. - - 8. Finally, the pull request will get merged or rejected. - -See also [GitHub's guide on -contributing](https://help.github.com/articles/fork-a-repo). - -If you want to do multiple unrelated changes, use separate branches and pull -requests. - -### Commits - -Each commit in the pull request should do only one thing, which is clearly -described by its commit message. Especially avoid mixing formatting changes and -functional changes into one commit. When writing commit messages, adhere to -[widely used -conventions](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html). - -If your commit is related to a bug in Bugzilla or an issue on GitHub, make sure -you mention it in the commit message for cross-reference. Use format like -bnc#775814 or gh#yast/yast-foo#42. See also [GitHub -autolinking](https://help.github.com/articles/github-flavored-markdown#references) -and [openSUSE abbreviation -reference](http://en.opensuse.org/openSUSE:Packaging_Patches_guidelines#Current_set_of_abbreviations). - -Additional Information ----------------------- - -If you have any question, feel free to ask at the [development mailing -list](http://lists.opensuse.org/yast-devel/) or at the -[#yast](http://webchat.freenode.net/?channels=%23yast) IRC channel on freenode. -We'll do our best to provide a timely and accurate answer. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/Dockerfile new/yast2-sudo-4.3.0/Dockerfile --- old/yast2-sudo-4.2.3/Dockerfile 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/Dockerfile 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,2 @@ +FROM registry.opensuse.org/yast/head/containers/yast-ruby:latest +COPY . /usr/src/app diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/README.md new/yast2-sudo-4.3.0/README.md --- old/yast2-sudo-4.2.3/README.md 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/README.md 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,22 @@ +## YaST - Sudo Configuration + +The intention of this module is to provide a User Interface for configuring +`sudo`. + +### Known Limitations + +- It uses a handcrafter Perl parser that has some limitations, especially when + it comes to deal with new `sudo` features or complex configuration. + Alternatives like Augeas lenses are more up-to-date. For specific limitations + see below. +- Support for `@include` and `@includedir` directive is limited. It just shows + them in rules section, but nothing more. Also duplicated alias detection does + not work across included files. +- `sudo` configuration does not support multitags in rules, which leads to + refuse to work with error message. +- `sudo` configuration does not support command specific tags in rules, which leads to + refuse to work with error message. +- The module does not allow to see/edit the global configuration of `sudo` (key + `Defaults`). +- No support for commands digest feature. If found then it refuses to work. +- It can only work with `/etc/sudoers`. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/package/yast2-sudo.changes new/yast2-sudo-4.3.0/package/yast2-sudo.changes --- old/yast2-sudo-4.2.3/package/yast2-sudo.changes 2020-02-19 10:51:08.000000000 +0100 +++ new/yast2-sudo-4.3.0/package/yast2-sudo.changes 2020-10-09 14:26:03.000000000 +0200 @@ -1,4 +1,14 @@ ------------------------------------------------------------------- +Thu Oct 8 14:43:17 UTC 2020 - Josef Reidinger <jreidin...@suse.com> + +- Support @include(-dir) directives +- Support alternative name Cmd_Alias +- report properly if yast2-sudo cannot read some configuration +- improve error report if syntax failed after write + (related to bsc#1156929) +- 4.3.0 + +------------------------------------------------------------------- Tue Feb 18 14:40:08 UTC 2020 - Stefan Hundhammer <shundham...@suse.com> - Fixed user-visible messages (bsc#1084015) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/package/yast2-sudo.spec new/yast2-sudo-4.3.0/package/yast2-sudo.spec --- old/yast2-sudo-4.2.3/package/yast2-sudo.spec 2020-02-19 10:51:08.000000000 +0100 +++ new/yast2-sudo-4.3.0/package/yast2-sudo.spec 2020-10-09 14:26:03.000000000 +0200 @@ -18,7 +18,7 @@ Name: yast2-sudo Summary: YaST2 - Sudo configuration -Version: 4.2.3 +Version: 4.3.0 Release: 0 Url: https://github.com/yast/yast-sudo Group: System/YaST @@ -33,7 +33,8 @@ BuildRequires: yast2 yast2-users BuildRequires: yast2-devtools >= 4.2.2 -BuildRequires: rubygem(yast-rake) +BuildRequires: rubygem(%rb_default_ruby_abi:rspec) +BuildRequires: rubygem(%rb_default_ruby_abi:yast-rake) BuildRequires: update-desktop-files BuildArch: noarch diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/src/modules/Sudo.rb new/yast2-sudo-4.3.0/src/modules/Sudo.rb --- old/yast2-sudo-4.2.3/src/modules/Sudo.rb 2020-02-19 10:51:08.000000000 +0100 +++ new/yast2-sudo-4.3.0/src/modules/Sudo.rb 2020-10-09 14:26:03.000000000 +0200 @@ -31,6 +31,17 @@ require "yast" module Yast + + class UnsupportedSudoConfig < RuntimeError + attr_reader :line + + def initialize(msg, line) + super(msg) + + @line = line + end + end + class SudoClass < Module def main Yast.import "UI" @@ -118,7 +129,7 @@ "mem" => lst } ) - when "Cmnd_Alias" + when "Cmnd_Alias", "Cmd_Alias" lst = Builtins.maplist( Builtins.splitstring(Ops.get_string(line, 3, ""), ",") ) do |s| @@ -149,6 +160,11 @@ if Builtins.regexpmatch(type, "^Defaults.*$") #do nothing, keep defaults untouched @defaults = Builtins.add(@defaults, line) + elsif type =~ /^sha\d+:/ + raise UnsupportedSudoConfig.new( + _("Rules with digest are not supported."), + "#{type} #{Ops.get_string(line, 2, "")} #{Ops.get_string(line, 3, "")}" + ) else m = {} cmd = [] @@ -176,6 +192,14 @@ Ops.get_string(line, 3, ""), "NOPASSWD:|SETENV:|NOEXEC:" ) + rest = Ops.get_string(line, 3, "") + # remove from rest runas as it can also contain ":" + if rest.gsub(/\([^\)]*\)/, "").count(":") > 1 + raise UnsupportedSudoConfig.new( + _("Multiple tags on single line are not supported."), + "#{type} #{m["host"]} = #{Ops.get_string(line, 3, "")}" + ) + end Ops.set( m, "tag", @@ -334,8 +358,7 @@ Builtins.y2milestone("Sudo settings %1", set) - return SCR.Write(path(".sudo"), nil) if SCR.Write(path(".sudo"), set) - true + SCR.Write(path(".sudo"), set) && SCR.Write(path(".sudo"), nil) end def SetItem(i) @@ -566,7 +589,16 @@ def Read return false if !Confirm.MustBeRoot - Report.Error(Message.CannotReadCurrentSettings) if !ReadSudoSettings2() + begin + Report.Error(Message.CannotReadCurrentSettings) if !ReadSudoSettings2() + rescue UnsupportedSudoConfig => e + msg = _("Unsupported configuration found. YaST will now exit to prevent from breaking the system.") + msg += "\n" + _("Issue: ") + e.message + msg += "\n" + _("Line content: ") + e.line + Report.Error(msg) + + return false + end # Error message if !ReadLocalUsers() @@ -635,7 +667,12 @@ Progress.NextStage # Error message if !WriteSudoSettings2() - Report.Error(_("Cannot write settings.")) + msg = _("Cannot write settings.") + if ::File.exists?("/etc/sudoers.YaST2.new") # if file exists it is invalid syntax + res = SCR.Execute(path(".target.bash_output"), "/usr/sbin/visudo -cf /etc/sudoers.YaST2.new") + msg += _("\nSyntax error in target file. See /etc/sudoers.YaST2.new.\nDetails: ") + res["stdout"] + end + Report.Error(msg) ret = false end Builtins.sleep(sl) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/src/servers_non_y2/ag_etc_sudoers new/yast2-sudo-4.3.0/src/servers_non_y2/ag_etc_sudoers --- old/yast2-sudo-4.2.3/src/servers_non_y2/ag_etc_sudoers 2020-02-19 10:51:08.000000000 +0100 +++ new/yast2-sudo-4.3.0/src/servers_non_y2/ag_etc_sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -103,7 +103,8 @@ print OUTFILE $previous_content; } - if ($members) { + # do not break include directives + if ($members && $type !~ /^\@include/ ) { print OUTFILE $type, "\t", $name, " = ", $members, "\n"; } else { print OUTFILE $type, "\t", $name, "\n"; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/associated_tag_example/sudoers new/yast2-sudo-4.3.0/test/data/associated_tag_example/sudoers --- old/yast2-sudo-4.2.3/test/data/associated_tag_example/sudoers 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/associated_tag_example/sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1 @@ +myuser ALL = (root) NOPASSWD: /usr/bin/vim, PASSWD: /sbin/halt, /sbin/reboot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/cmd_alias_config/sudoers new/yast2-sudo-4.3.0/test/data/cmd_alias_config/sudoers --- old/yast2-sudo-4.2.3/test/data/cmd_alias_config/sudoers 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/cmd_alias_config/sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,23 @@ +# Sample /etc/sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the sudoers man page for the details on how to write a sudoers file. +# + +## +# Cmnd alias specification +## +Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ + /usr/sbin/rrestore, /usr/bin/mt +Cmnd_Alias KILL = /usr/bin/kill +Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +Cmnd_Alias HALT = /usr/sbin/halt +Cmnd_Alias REBOOT = /usr/sbin/reboot +Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ + /usr/local/bin/tcsh, /usr/bin/rsh, \ + /usr/local/bin/zsh +Cmd_Alias SU = /usr/bin/su +Cmd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/default_config/sudoers new/yast2-sudo-4.3.0/test/data/default_config/sudoers --- old/yast2-sudo-4.2.3/test/data/default_config/sudoers 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/default_config/sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,87 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home +## Path that will be used for every command run from sudo +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin" +Defaults env_reset +## Change env_reset to !env_reset in previous line to keep all environment variables +## Following list will no longer be necessary after this change +Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +## Comment out the preceding line and uncomment the following one if you need +## to use special input methods. This may allow users to compromise the root +## account if they are allowed to run commands without authentication. +#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" + +## Do not insult users when they enter an incorrect password. +Defaults !insults + +## Uncomment to use a hard-coded PATH instead of the user's to find commands +# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +Defaults targetpw # ask for the password of the target user i.e. root +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Read drop-in files from /etc/sudoers.d +@includedir sudoers.d diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/digest_example/sudoers new/yast2-sudo-4.3.0/test/data/digest_example/sudoers --- old/yast2-sudo-4.2.3/test/data/digest_example/sudoers 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/digest_example/sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1 @@ +sha256:865d0fc47d0aa1fe198e2d9b0cd5b27e35838dc8f73b6629adc646d3cc2d9c94 myuser ALL = (root) /sbin/reboot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/multitag_single_line/sudoers new/yast2-sudo-4.3.0/test/data/multitag_single_line/sudoers --- old/yast2-sudo-4.2.3/test/data/multitag_single_line/sudoers 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/multitag_single_line/sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1 @@ +myuser ALL = (root) NOPASSWD:NOEXEC: /usr/bin/vim, /sbin/halt, /sbin/reboot diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/nested_include_config/sudoers new/yast2-sudo-4.3.0/test/data/nested_include_config/sudoers --- old/yast2-sudo-4.2.3/test/data/nested_include_config/sudoers 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/nested_include_config/sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,75 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home +## Path that will be used for every command run from sudo +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin" +Defaults env_reset +## Uncomment to use a hard-coded PATH instead of the user's to find commands +# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +Defaults targetpw # ask for the password of the target user i.e. root +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +@include sudoers2 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/nested_include_config/sudoers2 new/yast2-sudo-4.3.0/test/data/nested_include_config/sudoers2 --- old/yast2-sudo-4.2.3/test/data/nested_include_config/sudoers2 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/nested_include_config/sudoers2 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,4 @@ +## Do not insult users when they enter an incorrect password. +Defaults !insults + +@include sudoers3 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/nested_include_config/sudoers3 new/yast2-sudo-4.3.0/test/data/nested_include_config/sudoers3 --- old/yast2-sudo-4.2.3/test/data/nested_include_config/sudoers3 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/nested_include_config/sudoers3 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,6 @@ +## Change env_reset to !env_reset in previous line to keep all environment variables +## Following list will no longer be necessary after this change +Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" + + + diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/old_includedir/sudoers new/yast2-sudo-4.3.0/test/data/old_includedir/sudoers --- old/yast2-sudo-4.2.3/test/data/old_includedir/sudoers 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/old_includedir/sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,87 @@ +## sudoers file. +## +## This file MUST be edited with the 'visudo' command as root. +## Failure to use 'visudo' may result in syntax or file permission errors +## that prevent sudo from running. +## +## See the sudoers man page for the details on how to write a sudoers file. +## + +## +## Host alias specification +## +## Groups of machines. These may include host names (optionally with wildcards), +## IP addresses, network numbers or netgroups. +# Host_Alias WEBSERVERS = www1, www2, www3 + +## +## User alias specification +## +## Groups of users. These may consist of user names, uids, Unix groups, +## or netgroups. +# User_Alias ADMINS = millert, dowdy, mikef + +## +## Cmnd alias specification +## +## Groups of commands. Often used to group related commands together. +# Cmnd_Alias PROCESSES = /usr/bin/nice, /bin/kill, /usr/bin/renice, \ +# /usr/bin/pkill, /usr/bin/top +# Cmnd_Alias REBOOT = /sbin/halt, /sbin/reboot, /sbin/poweroff + +## +## Defaults specification +## +## Prevent environment variables from influencing programs in an +## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) +Defaults always_set_home +## Path that will be used for every command run from sudo +Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/bin:/usr/local/sbin" +Defaults env_reset +## Change env_reset to !env_reset in previous line to keep all environment variables +## Following list will no longer be necessary after this change +Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" +## Comment out the preceding line and uncomment the following one if you need +## to use special input methods. This may allow users to compromise the root +## account if they are allowed to run commands without authentication. +#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" + +## Do not insult users when they enter an incorrect password. +Defaults !insults + +## Uncomment to use a hard-coded PATH instead of the user's to find commands +# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +## +## Uncomment to send mail if the user does not enter the correct password. +# Defaults mail_badpass +## +## Uncomment to enable logging of a command's output, except for +## sudoreplay and reboot. Use sudoreplay to play back logged sessions. +# Defaults log_output +# Defaults!/usr/bin/sudoreplay !log_output +# Defaults!REBOOT !log_output + +## In the default (unconfigured) configuration, sudo asks for the root password. +## This allows use of an ordinary user account for administration of a freshly +## installed system. When configuring sudo, delete the two +## following lines: +Defaults targetpw # ask for the password of the target user i.e. root +ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! + +## +## Runas alias specification +## + +## +## User privilege specification +## +root ALL=(ALL) ALL + +## Uncomment to allow members of group wheel to execute any command +# %wheel ALL=(ALL) ALL + +## Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +## Read drop-in files from /etc/sudoers.d +#includedir sudoers.d diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/data/richful_example/sudoers new/yast2-sudo-4.3.0/test/data/richful_example/sudoers --- old/yast2-sudo-4.2.3/test/data/richful_example/sudoers 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/data/richful_example/sudoers 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,129 @@ +# Sample /etc/sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the sudoers man page for the details on how to write a sudoers file. +# + +## +# User alias specification +## +User_Alias FULLTIMERS = millert, mikef, dowdy +User_Alias PARTTIMERS = bostley, jwfox, crawl +User_Alias WEBMASTERS = will, wendy, wim + +## +# Runas alias specification +## +Runas_Alias OP = root, operator +Runas_Alias DB = oracle, sybase + +## +# Host alias specification +## +Host_Alias SPARC = bigtime, eclipse, moet, anchor:\ + SGI = grolsch, dandelion, black:\ + ALPHA = widget, thalamus, foobar:\ + HPPA = boa, nag, python +Host_Alias CUNETS = 128.138.0.0/255.255.0.0 +Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 +Host_Alias SERVERS = master, mail, www, ns +Host_Alias CDROM = orion, perseus, hercules + +## +# Cmnd alias specification +## +Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ + /usr/sbin/rrestore, /usr/bin/mt +Cmnd_Alias KILL = /usr/bin/kill +Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +Cmnd_Alias HALT = /usr/sbin/halt +Cmnd_Alias REBOOT = /usr/sbin/reboot +Cmnd_Alias SHELLS = /sbin/sh, /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ + /usr/local/bin/tcsh, /usr/bin/rsh, \ + /usr/local/bin/zsh +Cmnd_Alias SU = /usr/bin/su +Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \ + /usr/bin/chfn + +## +# Override built-in defaults +## +Defaults syslog=auth +Defaults>root !set_logname +Defaults:FULLTIMERS !lecture +Defaults:millert !authenticate +Defaults@SERVERS log_year, logfile=/var/log/sudo.log + +## +# User specification +## + +# root and users in group wheel can run anything on any machine as any user +root ALL = (ALL) ALL +%wheel ALL = (ALL) ALL + +# full time sysadmins can run anything on any machine without a password +FULLTIMERS ALL = NOPASSWD: ALL + +# part time sysadmins may run anything but need a password +PARTTIMERS ALL = ALL + +# jack may run anything on machines in CSNETS +jack CSNETS = ALL + +# lisa may run any command on any host in CUNETS (a class B network) +lisa CUNETS = ALL + +# operator may run maintenance commands and anything in /usr/oper/bin/ +operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ + +# joe may su only to operator +joe ALL = /usr/bin/su operator + +# pete may change passwords for anyone but root on the hp snakes +pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root + +# bob may run anything on the sparc and sgi machines as any user +# listed in the Runas_Alias "OP" (ie: root and operator) +bob SPARC = (OP) ALL : SGI = (OP) ALL + +# jim may run anything on machines in the biglab netgroup +jim +biglab = ALL + +# users in the secretaries netgroup need to help manage the printers +# as well as add and remove users ++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + +# fred can run commands as oracle or sybase without a password +fred ALL = (DB) NOPASSWD: ALL + +# on the alphas, john may su to anyone but root and flags are not allowed +john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + +# jen can run anything on all machines except the ones +# in the "SERVERS" Host_Alias +jen ALL, !SERVERS = ALL + +# jill can run any commands in the directory /usr/bin/, except for +# those in the SU and SHELLS aliases. +jill SERVERS = /usr/bin/, !SU, !SHELLS + +# steve can run any command in the directory /usr/local/op_commands/ +# as user operator. +steve CSNETS = (operator) /usr/local/op_commands/ + +# matt needs to be able to kill things on his workstation when +# they get hung. +matt valkyrie = KILL + +# users in the WEBMASTERS User_Alias (will, wendy, and wim) +# may run any command as user www (which owns the web pages) +# or simply su to www. +WEBMASTERS www = (www) ALL, (root) /usr/bin/su www + +# anyone can mount/unmount a cd-rom on the machines in the CDROM alias +ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/sudo_test.rb new/yast2-sudo-4.3.0/test/sudo_test.rb --- old/yast2-sudo-4.2.3/test/sudo_test.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/sudo_test.rb 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,199 @@ +require_relative "test_helper" + +Yast.import "Sudo" + +describe Yast::Sudo do + subject { described_class } + + describe "#ReadSudoSettings2" do + before do + # reset internal variables as e.g. read just adds new entries + # and does not reset old + subject.main + end + + # @param lines [Array<Hash>] list of hash with keys :comment for + # comments before line, :type for first word on line, :name for the + # second and :rest for rest of line without initial "=" + def mock_sudo(lines) + scr_result = lines.map do |l| + [l[:comment] || "", l[:type], l[:name], l[:rest]] + end + allow(Yast::SCR).to receive(:Read).with(path(".sudo")) + .and_return(scr_result) + end + + it "parses and set host aliases" do + lines = [ + { type: "Host_Alias", name: "ALIAS1", rest: "test.suse.cz" }, + { comment: "test\n", type: "Host_Alias", name: "ALIAS2", + rest: "test.suse.de, test2.suse.de,\ttest3.suse.de" } + ] + mock_sudo(lines) + + expected_aliases = [ + { "c" => "", "name" => "ALIAS1", "mem" => ["test.suse.cz"] }, + { "c" => "test\n", "name" => "ALIAS2", + "mem" => ["test.suse.de", "test2.suse.de", "test3.suse.de"] } + ] + + subject.ReadSudoSettings2 + + expect(subject.GetHostAliases2).to eq expected_aliases + end + + it "parses and set user aliases" do + lines = [ + { type: "User_Alias", name: "ALIAS1", rest: "user1" }, + { comment: "test\n", type: "User_Alias", name: "ALIAS2", + rest: "user2, user3,\tuser4" } + ] + mock_sudo(lines) + + expected_aliases = [ + { "c" => "", "name" => "ALIAS1", "mem" => ["user1"] }, + { "c" => "test\n", "name" => "ALIAS2", + "mem" => ["user2", "user3", "user4"] } + ] + + subject.ReadSudoSettings2 + + expect(subject.GetUserAliases2).to eq expected_aliases + end + + it "parses and set command aliases" do + lines = [ + { type: "Cmnd_Alias", name: "ALIAS1", rest: "/bin/cmd" }, + { comment: "test\n", type: "Cmnd_Alias", name: "ALIAS2", + rest: "/bin/cmd1, /bin/cmd2,\t/bin/cmd3" } + ] + mock_sudo(lines) + + expected_aliases = [ + { "c" => "", "name" => "ALIAS1", "mem" => ["/bin/cmd"] }, + { "c" => "test\n", "name" => "ALIAS2", + "mem" => ["/bin/cmd1", "/bin/cmd2", "/bin/cmd3"] } + ] + + subject.ReadSudoSettings2 + + expect(subject.GetCmndAliases2).to eq expected_aliases + end + + it "parses and set command aliases with digest" do + lines = [ + { comment: "test\n", type: "Cmnd_Alias", name: "ALIAS2", + rest: "/bin/cmd1, sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== /home/cmds/cmd2" } + ] + mock_sudo(lines) + + expected_aliases = [ + { "c" => "test\n", "name" => "ALIAS2", + "mem" => ["/bin/cmd1", "sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== /home/cmds/cmd2"] } + ] + + subject.ReadSudoSettings2 + + expect(subject.GetCmndAliases2).to eq expected_aliases + end + + it "parses and set command aliases with Cmd_Alias alternative name" do + lines = [ + { comment: "test\n", type: "Cmd_Alias", name: "ALIAS2", rest: "/bin/cmd1" } + ] + mock_sudo(lines) + + expected_aliases = [ + { "c" => "test\n", "name" => "ALIAS2", "mem" => ["/bin/cmd1"] } + ] + + subject.ReadSudoSettings2 + + expect(subject.GetCmndAliases2).to eq expected_aliases + end + + it "parses and set runas aliases" do + lines = [ + { type: "Runas_Alias", name: "ALIAS1", rest: "user" }, + { comment: "test\n", type: "Runas_Alias", name: "ALIAS2", + rest: "user1, user2,\tuser3" } + ] + mock_sudo(lines) + + expected_aliases = [ + { "c" => "", "name" => "ALIAS1", "mem" => ["user"] }, + { "c" => "test\n", "name" => "ALIAS2", + "mem" => ["user1", "user2", "user3"] } + ] + + subject.ReadSudoSettings2 + + expect(subject.GetRunAsAliases2).to eq expected_aliases + end + + it "parses and set rules" do + lines = [ + { type: "user1", name: "ALL", rest: "NOPASSWD: /usr/bin/su operator" }, + { comment: "test\n", type: "user1", name: "ALL", + rest: "/bin/adduser, /bin/rmuser" } + ] + mock_sudo(lines) + + expected_rules = [ + { "user" => "user1", "host" => "ALL", "comment" => "", + "tag" => "NOPASSWD:", "commands" => ["/usr/bin/su operator"] }, + { "user" => "user1", "host" => "ALL", "comment" => "test\n", + "commands" => ["/bin/adduser", "/bin/rmuser"] } + ] + + subject.ReadSudoSettings2 + + expect(subject.GetRules).to eq expected_rules + end + + it "raises UnsupportedSudoConfig for rules with multiple tags" do + lines = [ + { type: "user1", name: "ALL", rest: "NOPASSWD:NOEXEC: /usr/bin/su operator" }, + ] + mock_sudo(lines) + + expect{subject.ReadSudoSettings2}.to raise_error(Yast::UnsupportedSudoConfig) + end + + it "raises UnsupportedSudoConfig for rules with associated tags" do + lines = [ + { type: "user1", name: "ALL", rest: "NOPASSWD: /usr/bin/su operator, PASSWD: /bin/test" }, + ] + mock_sudo(lines) + + expect{subject.ReadSudoSettings2}.to raise_error(Yast::UnsupportedSudoConfig) + end + + it "parses and set rules with run as specified" do + lines = [ + # (root, bin : operator, system) means can run as root or bin user or as operator or system group + { type: "user1", name: "ALL", rest: "NOPASSWD: (root, bin : operator, system) /bin/test" }, + ] + mock_sudo(lines) + + expected_rules = [ + { "user" => "user1", "host" => "ALL", "comment" => "", "run_as" => "(root, bin : operator, system)", + "tag" => "NOPASSWD:", "commands" => ["/bin/test"] }, + ] + + subject.ReadSudoSettings2 + + expect(subject.GetRules).to eq expected_rules + end + + it "raises UnsupportedSudoConfig for rules with digest" do + lines = [ + { type: "sha256:865d0fc47d0aa1fe198e2d9b0cd5b27e35838dc8f73b6629adc646d3cc2d9c94", + name: "user1" }, + ] + mock_sudo(lines) + + expect{subject.ReadSudoSettings2}.to raise_error(Yast::UnsupportedSudoConfig) + end + end +end diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/yast2-sudo-4.2.3/test/test_helper.rb new/yast2-sudo-4.3.0/test/test_helper.rb --- old/yast2-sudo-4.2.3/test/test_helper.rb 1970-01-01 01:00:00.000000000 +0100 +++ new/yast2-sudo-4.3.0/test/test_helper.rb 2020-10-09 14:26:03.000000000 +0200 @@ -0,0 +1,39 @@ +ENV["Y2DIR"] = File.expand_path("../src", __dir__) + +# localization agnostic tests +ENV["LC_ALL"] = "en_US.utf-8" +ENV["LANG"] = "en_US.utf-8" + +require "yast" +require "yast/rspec" + +RSpec.configure do |config| + config.mock_with :rspec do |mocks| + # If you misremember a method name both in code and in tests, + # will save you. + # https://relishapp.com/rspec/rspec-mocks/v/3-0/docs/verifying-doubles/partial-doubles + # + # With graceful degradation for RSpec 2 + mocks.verify_partial_doubles = true if mocks.respond_to?(:verify_partial_doubles=) + end +end + +if ENV["COVERAGE"] + require "simplecov" + SimpleCov.start do + add_filter "/test/" + end + + src_location = File.expand_path("../src", __dir__) + # track all ruby files under src + SimpleCov.track_files("#{src_location}/**/*.rb") + + # use coveralls for on-line code coverage reporting at Travis CI + if ENV["TRAVIS"] + require "coveralls" + SimpleCov.formatter = SimpleCov::Formatter::MultiFormatter[ + SimpleCov::Formatter::HTMLFormatter, + Coveralls::SimpleCov::Formatter + ] + end +end