PR#19: Rebase to 1.9.1 - rpms/sudo - src.fedoraproject.org

rpms / sudo

#19 Rebase to 1.9.1

Merged 3 years ago by rsroka. Opened 3 years ago by alakatos.

rpms/ alakatos/sudo master into master

alakatos • 3 years ago

306df89

.gitignore

file modified

		`@@ -22,3 +22,4 @@`
		`/sudo-1.8.29.tar.gz`
		`/sudo-1.9.0b1.tar.gz`
		`/sudo-1.9.0b4.tar.gz`
		`+ /sudo-1.9.1.tar.gz`

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (sudo-1.9.0b4.tar.gz) = 8f9da58ebb53d751746e8b271d9089a98cbbeb6e82691c3905c5ac11255bc70c7f467c0097d8dab2980fd94ffb8c438d03326f1bc98f0b580ec6e5b06227f559`
		`+ SHA512 (sudo-1.9.1.tar.gz) = 7994c7d8f020188eda51787bb5f6fe7668518cc89b711e7840470db7e5bac1219490ffccc73854fecb14ceb3ffaf0fc605f3438c87b83f27921ea3626365105c`

sudo-1.9-RLIMIT_CORE.patch

file removed

-149

		`@@ -1,149 +0,0 @@`
		`- changeset 12288:1064b906ca68`
		`-`
		`- Ignore a failure to restore the RLIMIT_CORE resource limit.`
		`- Linux containers don't allow RLIMIT_CORE to be set back to RLIM_INFINITY`
		`- if we set the limit to zero, even for root. This is not a problem`
		`- outside the container.`
		`- author Todd C. Miller <Todd.Miller@sudo.ws>`
		`- date Sat, 14 Mar 2020 11:13:55 -0600`
		`- parents 72ca06a294b4`
		`- children 40629e6fd692`
		`- files src/limits.c`
		`- diffstat 1 files changed, 61 insertions(+), 10 deletions(-) [+]`
		`- line wrap: on`
		`- line diff`
		`-`
		`- --- a/src/limits.c Thu Mar 12 17:39:56 2020 -0600`
		`- +++ b/src/limits.c Sat Mar 14 11:13:55 2020 -0600`
		`- @@ -114,13 +114,21 @@`
		`-`
		`- if (getrlimit(RLIMIT_CORE, &corelimit) == -1)`
		`- sudo_warn("getrlimit(RLIMIT_CORE)");`
		`- + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_CORE [%lld, %lld] -> [0, 0]",`
		`- + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);`
		`- if (setrlimit(RLIMIT_CORE, &rl) == -1)`
		`- sudo_warn("setrlimit(RLIMIT_CORE)");`
		`- #ifdef __linux__`
		`- /* On Linux, also set PR_SET_DUMPABLE to zero (reset by execve). */`
		`- - if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1)`
		`- + if ((dumpflag = prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)) == -1) {`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "prctl(PR_GET_DUMPABLE, 0, 0, 0, 0)");`
		`- dumpflag = 0;`
		`- - (void) prctl(PR_SET_DUMPABLE, 0, 0, 0, 0);`
		`- + }`
		`- + if (prctl(PR_SET_DUMPABLE, 0, 0, 0, 0) == -1) {`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);`
		`- + }`
		`- #endif /* __linux__ */`
		`- coredump_disabled = true;`
		`-`
		`- @@ -136,10 +144,20 @@`
		`- debug_decl(restore_coredump, SUDO_DEBUG_UTIL);`
		`-`
		`- if (coredump_disabled) {`
		`- - if (setrlimit(RLIMIT_CORE, &corelimit) == -1)`
		`- - sudo_warn("setrlimit(RLIMIT_CORE)");`
		`- + /*`
		`- + * Linux containers don't allow RLIMIT_CORE to be set back to`
		`- + * RLIM_INFINITY if we set the limit to zero, even for root.`
		`- + */`
		`- + if (setrlimit(RLIMIT_CORE, &corelimit) == -1) {`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "setrlimit(RLIMIT_CORE, [%lld, %lld])",`
		`- + (long long)corelimit.rlim_cur, (long long)corelimit.rlim_max);`
		`- + }`
		`- #ifdef __linux__`
		`- - (void) prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0);`
		`- + if (prctl(PR_SET_DUMPABLE, dumpflag, 0, 0, 0) == -1) {`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "prctl(PR_SET_DUMPABLE, %d, 0, 0, 0)", dumpflag);`
		`- + }`
		`- #endif /* __linux__ */`
		`- }`
		`- debug_return;`
		`- @@ -162,8 +180,14 @@`
		`-`
		`- if (getrlimit(RLIMIT_NPROC, &nproclimit) != 0)`
		`- sudo_warn("getrlimit(RLIMIT_NPROC)");`
		`- + sudo_debug_printf(SUDO_DEBUG_INFO, "RLIMIT_NPROC [%lld, %lld] -> [inf, inf]",`
		`- + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);`
		`- if (setrlimit(RLIMIT_NPROC, &rl) == -1) {`
		`- rl.rlim_cur = rl.rlim_max = nproclimit.rlim_max;`
		`- + sudo_debug_printf(SUDO_DEBUG_INFO,`
		`- + "RLIMIT_NPROC [%lld, %lld] -> [%lld, %lld]",`
		`- + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max,`
		`- + (long long)rl.rlim_cur, (long long)rl.rlim_max);`
		`- if (setrlimit(RLIMIT_NPROC, &rl) != 0)`
		`- sudo_warn("setrlimit(RLIMIT_NPROC)");`
		`- }`
		`- @@ -180,8 +204,11 @@`
		`- #ifdef __linux__`
		`- debug_decl(restore_nproc, SUDO_DEBUG_UTIL);`
		`-`
		`- - if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0)`
		`- - sudo_warn("setrlimit(RLIMIT_NPROC)");`
		`- + if (setrlimit(RLIMIT_NPROC, &nproclimit) != 0) {`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "setrlimit(RLIMIT_NPROC, [%lld, %lld])",`
		`- + (long long)nproclimit.rlim_cur, (long long)nproclimit.rlim_max);`
		`- + }`
		`-`
		`- debug_return;`
		`- #endif /* __linux__ */`
		`- @@ -203,6 +230,11 @@`
		`- struct saved_limit *lim = &saved_limits[idx];`
		`- if (getrlimit(lim->resource, &lim->oldlimit) == -1)`
		`- continue;`
		`- + sudo_debug_printf(SUDO_DEBUG_INFO,`
		`- + "getrlimit(lim->name) -> [%lld, %lld]",`
		`- + (long long)lim->oldlimit.rlim_cur,`
		`- + (long long)lim->oldlimit.rlim_max);`
		`- +`
		`- lim->saved = true;`
		`- if (lim->newlimit.rlim_cur != RLIM_INFINITY) {`
		`- /* Don't reduce the soft resource limit. */`
		`- @@ -217,13 +249,28 @@`
		`- lim->newlimit.rlim_max = lim->oldlimit.rlim_max;`
		`- }`
		`- if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {`
		`- - if (lim->fallback != NULL)`
		`- - rc = setrlimit(lim->resource, lim->fallback);`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "setrlimit(%s, [%lld, %lld])", lim->name,`
		`- + (long long)lim->newlimit.rlim_cur,`
		`- + (long long)lim->newlimit.rlim_max);`
		`- + if (lim->fallback != NULL) {`
		`- + if ((rc = setrlimit(lim->resource, lim->fallback)) == -1) {`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "setrlimit(%s, [%lld, %lld])", lim->name,`
		`- + (long long)lim->fallback->rlim_cur,`
		`- + (long long)lim->fallback->rlim_max);`
		`- + }`
		`- + }`
		`- if (rc == -1) {`
		`- /* Try setting new rlim_cur to old rlim_max. */`
		`- lim->newlimit.rlim_cur = lim->oldlimit.rlim_max;`
		`- lim->newlimit.rlim_max = lim->oldlimit.rlim_max;`
		`- - rc = setrlimit(lim->resource, &lim->newlimit);`
		`- + if ((rc = setrlimit(lim->resource, &lim->newlimit)) == -1) {`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "setrlimit(%s, [%lld, %lld])", lim->name,`
		`- + (long long)lim->newlimit.rlim_cur,`
		`- + (long long)lim->newlimit.rlim_max);`
		`- + }`
		`- }`
		`- if (rc == -1)`
		`- sudo_warn("setrlimit(%s)", lim->name);`
		`- @@ -254,6 +301,10 @@`
		`- if (rc != -1 \|\| errno != EINVAL)`
		`- break;`
		`-`
		`- + sudo_debug_printf(SUDO_DEBUG_ERROR\|SUDO_DEBUG_ERRNO,`
		`- + "setrlimit(%s, [%lld, %lld])", lim->name,`
		`- + (long long)rl.rlim_cur, (long long)rl.rlim_max);`
		`- +`
		`- /*`
		`- * Soft limit could be lower than current resource usage.`
		`- * This can be an issue on NetBSD with RLIMIT_STACK and ASLR.`

sudo.rpmlintrc

file added

+16

		`@@ -0,0 +1,16 @@`
		`+ # Sudo allows restricted root access for specified users. In other words,`
		`+ # it is a special package, which requires special permissions on on some`
		`+ # of the installed files.`
		`+ addFilter("missing-call-to-setgroups-before-setuid (/usr/bin/sudo\|/usr/bin/sudoreplay\|/usr/sbin/sudo_logsrvd\|/usr/sbin/sudo_sendlog\|/usr/libexec/sudo/sudoers.so\|)$")`
		`+`
		`+ addFilter("non-readable (/etc/sudo.conf\|/etc/sudo_logsrvd.conf\|/etc/sudoers\|/usr/bin/sudoreplay) .*$")`
		`+`
		`+ addFilter("non-standard-dir-perm (/etc/sudoers.d\|/var/db/sudo\|/var/db/sudo/lectured) .*$")`
		`+`
		`+ addFilter("setuid-binary /usr/bin/sudo .*$")`
		`+`
		`+ addFilter("non-standard-executable-perm (/usr/bin/sudo\|/usr/bin/sudoreplay) .*$")`
		`+`
		`+ addFilter("wrong-file-end-of-line-encoding /usr/share/doc/sudo/schema.ActiveDirectory$")`
		`+`
		`+ addFilter("non-standard-dir-in-var db$")`

sudo.spec

file modified

+14 -12

		`@@ -1,13 +1,10 @@`
		`- %global patchlevel b4`
		`- %global upstream_version %{version}%{patchlevel}`
		`-`
		`Summary: Allows restricted root access for specified users`
		`Name: sudo`
		`- Version: 1.9.0`
		`- Release: 0.1.%{patchlevel}%{?dist}`
		`+ Version: 1.9.1`
		`+ Release: 1%{?dist}`
		`License: ISC`
		`URL: http://www.courtesan.com/sudo/`
		`- Source0: https://www.sudo.ws/dist/beta/%{name}-%{upstream_version}.tar.gz`
		`+ Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz`
		`Source1: sudoers`
		`Requires: pam`
		`Recommends: vim-minimal`
		`@@ -27,8 +24,6 @@`

		`# don't strip`
		`Patch1: sudo-1.6.7p5-strip.patch`
		`- # https://www.sudo.ws/repos/sudo/rev/1064b906ca68`
		`- Patch2: sudo-1.9-RLIMIT_CORE.patch`

		`%description`
		`Sudo (superuser do) allows a system administrator to give certain`
		`@@ -50,10 +45,9 @@`
		`plugins that use %{name}.`

		`%prep`
		`- %setup -q -n %{name}-%{upstream_version}`
		`+ %setup -q`

		`%patch1 -p1 -b .strip`
		`- %patch2 -p1 -b .orig`

		`%build`
		`# Remove bundled copy of zlib`
		`@@ -152,13 +146,15 @@`


		`%files -f sudo_all.lang`
		`+ %defattr(-,root,root)`
		`%attr(0440,root,root) %config(noreplace) /etc/sudoers`
		`%attr(0750,root,root) %dir /etc/sudoers.d/`
		`%config(noreplace) /etc/pam.d/sudo`
		`%config(noreplace) /etc/pam.d/sudo-i`
		`%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf`
		`- %attr(0644,root,root) /etc/dnf/protected.d/sudo.conf`
		`- %attr(0644,root,root) /etc/sudo.conf`
		`+ %attr(0644,root,root) %config(noreplace) /etc/dnf/protected.d/sudo.conf`
		`+ %attr(0640,root,root) %config(noreplace) /etc/sudo.conf`
		`+ %attr(0640,root,root) %config(noreplace) /etc/sudo_logsrvd.conf`
		`%dir /var/db/sudo`
		`%dir /var/db/sudo/lectured`
		`%attr(4111,root,root) %{_bindir}/sudo`
		`@@ -205,6 +201,12 @@`
		`%{_mandir}/man8/sudo_plugin.8*`

		`%changelog`
		`+ * Wed Jul 08 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.1-1`
		`+ - rebase to 1.9.1`
		`+ Resolves: rhbz#1848788`
		`+ - fix rpmlint errors`
		`+ Resolves: rhbz#1817139`
		`+`
		`* Wed Mar 25 2020 Attila Lakatos <alakatos@redhat.com> - 1.9.0-0.1.b4`
		`- update to latest development version 1.9.0b4`
		`Resolves: rhbz#1816593`