diff --git a/.gitignore b/.gitignore index 96963ea..7cafc1c 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,4 @@ /sudo-1.8.25.tar.gz /sudo-1.8.25p1.tar.gz /sudo-1.8.27.tar.gz +/sudo-1.8.28.tar.gz diff --git a/sources b/sources index c04905d..68032d5 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (sudo-1.8.27.tar.gz) = 0480def650ab880ab9e6c51c606a06897fd638f0381e99c038f5aa47d064aaa2fb35b73eee7f86e73185e18d5dbb8b6ba49c616b1785a1edb2dd6d7b2fa4fcac +SHA512 (sudo-1.8.28.tar.gz) = 09e589cdfd18d7c43b0859a0e11c008b3cb995ae4f8c89c717c5242db9e5696361eb574ebe74a0b5316afffb3a8037f7a7f3c249176e8ed9caffeb4cd860ddc7 diff --git a/sudo.spec b/sudo.spec index 4a1682a..f8b8822 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,9 +1,7 @@ -%global user millert - Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.27 -Release: 3%{?dist} +Version: 1.8.28 +Release: 1%{?dist} License: ISC URL: http://www.courtesan.com/sudo/ Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz @@ -191,6 +189,16 @@ EOF %{_mandir}/man8/sudo_plugin.8* %changelog +* Tue Oct 15 2019 Radovan Sroka - 1.8.28-1 +- rebase to 1.8.28 +Resolves: rhbz#1761533 +- set always_set_home by default +Resolves: rhbz#1728687 +- Sync sudoers options from rhel8 to fedora +Resolves: rhbz#1761781 +- CVE-2019-14287 +Resolves: rhbz#1761584 + * Sat Jul 27 2019 Fedora Release Engineering - 1.8.27-3 - Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild diff --git a/sudoers b/sudoers index 9d57af5..e68d56c 100644 --- a/sudoers +++ b/sudoers @@ -30,7 +30,7 @@ # Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum ## Services -# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig +# Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig, /usr/bin/systemctl start, /usr/bin/systemctl stop, /usr/bin/systemctl reload, /usr/bin/systemctl restart, /usr/bin/systemctl status, /usr/bin/systemctl enable, /usr/bin/systemctl disable ## Updating the locate database # Cmnd_Alias LOCATE = /usr/bin/updatedb @@ -54,13 +54,37 @@ # Defaults !visiblepw +# +# Preserving HOME has security implications since many programs +# use it when searching for configuration files. Note that HOME +# is already set when the the env_reset option is enabled, so +# this option is only effective for configurations where either +# env_reset is disabled or HOME is present in the env_keep list. +# +Defaults always_set_home +Defaults match_group_by_gid + +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" -Defaults env_keep += "MAIL QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" +Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" +# +# Adding HOME to env_keep may enable a user to run unrestricted +# commands via sudo. +# +# Defaults env_keep += "HOME" + Defaults secure_path = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ## Next comes the main part: which users can run what software on