Revisions of sudo
Dominique Leuenberger (dimstar_suse)
accepted
request 287253
from
Marcus Meissner (msmeissn)
(revision 70)
1
Dominique Leuenberger (dimstar_suse)
accepted
request 260242
from
Marcus Meissner (msmeissn)
(revision 68)
1
Adrian Schröter (adrianSuSE)
committed
(revision 66)
Split 13.2 from Factory
Stephan Kulow (coolo)
accepted
request 234227
from
Stephan Kulow (coolo)
(revision 65)
- update to 1.8.10p3 * Fixed expansion of the %p escape in the prompt for "sudo -l" when rootpw, runaspw or targetpw is set. Bug #639. * Fixed matching of uids and gids which was broken in version 1.8.9 * PAM credential initialization has been re-enabled. It was unintentionally disabled by default in version 1.8.8. The way credentials are initialized has also been fixed. Bug #642. * Fixed a descriptor leak on Linux when determing boot time. Sudo normally closes extra descriptors before running a command so the impact is limited. Bug #645. * Fixed flushing of the last buffer of data when I/O logging is enabled. This bug, introduced in version 1.8.9, could cause incomplete command output on some systems. Bug #646. * Fixed a hang introduced in sudo 1.8.10 when timestamp_timeout is set to zero. Bug #638. - don't install test LICENSE with executable perms (forwarded request 234191 from vitezslav_cizek)
Stephan Kulow (coolo)
accepted
request 226049
from
Stephan Kulow (coolo)
(revision 64)
- update to 1.8.10p1 * Fixed a bug with netgated commands in "sudo -l command" that could cause the command to be listed even when it was explicitly denied. This only affected list mode when a command was specified. Bug #636. * It is now possible to disable network interface probing in sudo.conf by changing the value of the probe_interfaces setting. * When listing a user's privileges (sudo -l), the sudoers plugin will now prompt for the user's password even if the targetpw, rootpw or runaspw options are set. * The sudoers plugin uses a new format for its time stamp files. Bug #616. * sudo's -K option will now remove all of the user's time stamps, not just the time stamp for the current terminal. The -k option can be used to only disable time stamps for the current terminal. * If sudo was started in the background and needed to prompt for a password, it was not possible to suspend it at the password prompt * LDAP-based sudoers now uses a default search filter of (objectClass=sudoRole) for more efficient queries. The netgroup query has been modified to avoid falling below the minimum length for OpenLDAP substring indices. * The new use_netgroups sudoers option can be used to explicitly enable or disable netgroups support. For LDAP-based sudoers, netgroup support requires an expensive substring match on the server. If netgroups are not needed, this option can be disabled to reduce the load on the LDAP server. * Sudo is once again able to open the sudoers file when the group on sudoers doesn't match the expected value, so long as the file is not group writable. (forwarded request 225988 from vitezslav_cizek)
Stephan Kulow (coolo)
accepted
request 220617
from
Stephan Kulow (coolo)
(revision 63)
- added subpackage with a test for fate#313276 (forwarded request 215868 from vitezslav_cizek)
Stephan Kulow (coolo)
accepted
request 215577
from
Vítězslav Čížek (vitezslav_cizek)
(revision 62)
- update to 1.8.9p4 * Fixed a bug where sudo could consume large amounts of CPU while the command was running when I/O logging is not enabled. Bug #631 (bnc#861153) * Fixed a bug where sudo would exit with an error when the debug level is set to util@debug or all@debug and I/O logging is not enabled. The command would continue runnning after sudo exited. (forwarded request 215575 from vitezslav_cizek)
Stephan Kulow (coolo)
accepted
request 213957
from
Marcus Meissner (msmeissn)
(revision 61)
- update to 1.8.9p3 - set secure_path to /usr/sbin:/usr/bin:/sbin:/bin - changes since 1.8.8: * Fixed a bug introduced in sudo 1.8.9 that prevented the tty name from being resolved properly on Linux systems. Bug #630. * Updated config.guess, config.sub and libtool to support the ppc64le architecture (IBM PowerPC Little Endian). * Fixed a problem with gcc 4.8's handling of bit fields that could lead to the noexec flag being enabled even when it was not explicitly set. * Reworked sudo's main event loop to use a simple event subsystem using poll(2) or select(2) as the back end. * It is now possible to statically compile the sudoers plugin into the sudo binary without disabling shared library support. The sudo.conf file may still be used to configure other plugins. * Sudo can now be compiled again with a C preprocessor that does not support variadic macros. * Visudo can now export a sudoers file in JSON format using the new -x flag. * The locale is now set correctly again for visudo and sudoreplay. * The plugin API has been extended to allow the plugin to exclude specific file descriptors from the "closefrom" range. * There is now a workaround for a Solaris-specific problem where NOEXEC was overriding traditional root DAC behavior. * Add user netgroup filtering for SSSD. Previously, rules for a netgroup were applied to all even when they did not belong to the specified netgroup. * On systems with BSD login classes, if the user specified a group (not a user) to run the command as, it was possible to specify a different login class even when the command was not run as the (forwarded request 213857 from vitezslav_cizek)
Tomáš Chvátal (scarabeus_factory)
accepted
request 202629
from
Marcus Meissner (msmeissn)
(revision 60)
- update to 1.8.8 - drop sudo-plugins-sudoers-sssd.patch (upstream) * Removed a warning on PAM systems with stacked auth modules where the first module on the stack does not succeed. * Sudo, sudoreplay and visudo now support GNU-style long options. * The -h (--host) option may now be used to specify a host name. This is currently only used by the sudoers plugin in conjunction with the -l (--list) option. * Sudo's LDAP SASL support now works properly with Kerberos. Previously, the SASL library was unable to locate the user's credential cache. * It is now possible to set the nproc resource limit to unlimited via pam_limits on Linux (bug #565). * New "pam_service" and "pam_login_service" sudoers options that can be used to specify the PAM service name to use. * New "pam_session" and "pam_setcred" sudoers options that can be used to disable PAM session and credential support. * The sudoers plugin now properly supports UIDs and GIDs that are larger than 0x7fffffff on 32-bit platforms. * Fixed a visudo bug introduced in sudo 1.8.7 where per-group Defaults entries would cause an internal error. * If the "tty_tickets" sudoers option is enabled (the default), but there is no tty present, sudo will now use a ticket file based on the parent process ID. This makes it possible to support the normal timeout behavior for the session. * Fixed a problem running commands that change their process group and then attempt to change the terminal settings when not running the command in a pseudo-terminal. Previously, the process would receive SIGTTOU since it was effectively a background process. Sudo will now grant the child the controlling tty and (forwarded request 202594 from vitezslav_cizek)
Adrian Schröter (adrianSuSE)
committed
(revision 59)
Split 13.1 from Factory
Stephan Kulow (coolo)
accepted
request 182936
from
Dirk Mueller (dirkmueller)
(revision 58)
- fix the default flag settings in manual to reflect changes caused by sudo-sudoers.patch (bnc#823292) (forwarded request 182920 from vitezslav_cizek)
Stephan Kulow (coolo)
accepted
request 182711
from
Marcus Meissner (msmeissn)
(revision 57)
- Added patch to resolve packaging error. Patch has been sent upstream. * E: sudo 64bit-portability-issue ./sssd.c:829 - Enable SSSD as a sudoers data source (forwarded request 182674 from deadpoint)
Stephan Kulow (coolo)
accepted
request 181790
from
Dirk Mueller (dirkmueller)
(revision 56)
- restore accidentally dropped suse-specific patches * remove CVE-2013-1775 * remove CVE-2013-1776 * The non-Unix group plugin is now supported when sudoers data is stored in LDAP. * User messages are now always displayed in the user's locale, even when the same message is being logged or mailed in a different locale. * Log files created by sudo now explicitly have the group set to group ID 0 rather than relying on BSD group semantics (which may not be the default). * A new exec_background sudoers option can be used to initially run the command without read access to the terminal when running a command in a pseudo-tty. * Sudo now produces better error messages when there is an error in the sudo.conf file. * Two new settings have been added to sudo.conf to give the admin better control of how group database queries are performed. * There is now a standalone sudo.conf manual page. * New support for specifying a SHA-2 digest along with the command in sudoers. Supported hash types are sha224, sha256, sha384 and sha512. See the description of Digest_Spec in the sudoers manual or the description of sudoCommand in the sudoers.ldap manual for details. * Fixed potential false positives in visudo's alias cycle detection. * Sudo now only builds Position Independent Executables (PIE) by default on Linux systems and verifies that a trivial test program builds and runs.
Stephan Kulow (coolo)
accepted
request 181328
from
Dirk Mueller (dirkmueller)
(revision 55)
Update to upstream release 1.8.7, obsoleted patches. (forwarded request 181200 from stroeder)
Stephan Kulow (coolo)
accepted
request 156978
from
Vítězslav Čížek (vitezslav_cizek)
(revision 54)
- added two security fixes: * CVE-2013-1775 (bnc#806919) + sudo-1.8.6p3-CVE-2013-1775.patch * CVE-2013-1776 (bnc#806921) + sudo-1.8.6p3-CVE-2013-1776.patch (forwarded request 156969 from vitezslav_cizek)
Adrian Schröter (adrianSuSE)
committed
(revision 53)
Split 12.3 from Factory
Displaying revisions 81 - 100 of 152