From mboxrd@z Thu Jan  1 00:00:00 1970
From: Adolf Belka <adolf.belka@ipfire.org>
To: development@lists.ipfire.org
Subject: [PATCH] sudo: Update to version 1.9.8p1
Date: Fri, 17 Sep 2021 22:13:55 +0200
Message-ID: <20210917201355.3478930-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2819058082319178215=="
List-Id: <development.lists.ipfire.org>

--===============2819058082319178215==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

- Update from 1.9.7p2 to 1.9.8p1
- Update rootfile
- Changelog
   Major changes between version 1.9.8 and 1.9.8p1:
     Fixed support for passing a prompt (sudo -p) or a login class (sudo -c) =
on the
       command line. This is a regression introduced in sudo 1.9.8. Bug #993.
     Fixed a crash with sudo ALL rules in the LDAP and SSSD back-ends. This i=
s a
       regression introduced in sudo 1.9.8. Bug #994.
     Fixed a compilation error when the --enable-static-sudoers configure opt=
ion was
       specified. This is a regression introduced in sudo 1.9.8 caused by a s=
ymbol clash
       with the intercept and log server protobuf functions.
   Major changes between version 1.9.7p2 and 1.9.8:
     It is now possible to transparently intercepting sub-commands executed b=
y the
       original command run via sudo. Intercept support is implemented using =
LD_PRELOAD
       (or the equivalent supported by the system) and so has some limitation=
s. The two
       main limitations are that only dynamic executables are supported and o=
nly the
       execl, execle, execlp, execv, execve, execvp, and execvpe library func=
tions are
       currently intercepted. Its main use case is to support restricting pri=
vileged
       shells run via sudo.
     To support this, there is a new intercept Defaults setting and an INTERC=
EPT command
       tag that can be used in sudoers. For example:
         Cmnd_Alias SHELLS=3D/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
         Defaults!SHELLS intercept
       would cause sudo to run the listed shells in intercept mode. This can =
also be set
       on a per-rule basis. For example:
         Cmnd_Alias SHELLS=3D/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
         chuck ALL =3D INTERCEPT: SHELLS
       would only apply intercept mode to user chuck when running one of the =
listed shells.
     In intercept mode, sudo will not prompt for a password before running a =
sub-command
       and will not allow a set-user-ID or set-group-ID program to be run by =
default. The
       new intercept_authenticate and sudoers settings can be used to change =
this behavior.
     The new log_subcmds sudoers setting can be used to log commands run in a=
 privileged
       shell. It uses the same mechanism as the intercept support described a=
bove and has
       the same limitations.
     Support for logging sudo_logsrvd errors via syslog or to a file. Previou=
sly, most
       sudo_logsrvd errors were only visible in the debug log.
     Better diagnostics when there is a TLS certificate validation error.
     Using the +=3D or -=3D operators in a Defaults setting that takes a stri=
ng, not a list,
       now produces a warning from sudo and a syntax error from inside visudo.
     Fixed a bug where the iolog_mode setting in sudoers and sudo_logsrvd had=
 no effect
       when creating I/O log parent directories if the I/O log file name ende=
d with the
       string XXXXXX.
     Fixed a bug in the sudoers custom prompt code where the size parameter t=
hat was
       passed to the strlcpy() function was incorrect. No overflow was possib=
le since the
       correct amount of memory was already pre-allocated.
     The mksigname and mksiglist helper programs are now built with the host =
compiler,
       not the target compiler, when cross-compiling. Bug #989.
     Fixed compilation error when the --enable-static-sudoers configure optio=
n was
       specified. This was due to a typo introduced in sudo 1.9.7. GitHub PR =
#113
   For more details of the changes then view the ChangeLog file in the source=
 tarball
     or at https://www.sudo.ws/changes.html

Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
---
 config/rootfiles/common/sudo | 2 ++
 lfs/sudo                     | 4 ++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/config/rootfiles/common/sudo b/config/rootfiles/common/sudo
index babdcb484..80e83efa4 100644
--- a/config/rootfiles/common/sudo
+++ b/config/rootfiles/common/sudo
@@ -18,6 +18,8 @@ usr/lib/sudo/group_file.so
 usr/lib/sudo/libsudo_util.so.0.0.0
 #usr/lib/sudo/sample_approval.la
 usr/lib/sudo/sample_approval.so
+#usr/lib/sudo/sudo_intercept.la
+usr/lib/sudo/sudo_intercept.so
 #usr/lib/sudo/sudo_noexec.la
 usr/lib/sudo/sudo_noexec.so
 #usr/lib/sudo/sudoers.la
diff --git a/lfs/sudo b/lfs/sudo
index a74c34e7e..9fabdfd52 100644
--- a/lfs/sudo
+++ b/lfs/sudo
@@ -24,7 +24,7 @@
=20
 include Config
=20
-VER        =3D 1.9.7p2
+VER        =3D 1.9.8p1
=20
 THISAPP    =3D sudo-$(VER)
 DL_FILE    =3D $(THISAPP).tar.gz
@@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
=20
 $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
=20
-$(DL_FILE)_MD5 =3D d6f8217bfd16649236e100c49e0a7cc4
+$(DL_FILE)_MD5 =3D ae9c8b32268f27d05bcdcb8f0c04d461
=20
 install : $(TARGET)
=20
--=20
2.33.0


--===============2819058082319178215==--