From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peter =?utf-8?q?M=C3=BCller?= <peter.mueller@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] sudo: Update to version 1.9.8p1
Date: Sat, 18 Sep 2021 16:27:41 +0000
Message-ID: <795e3786-661b-9dee-17f8-2db2899e0d41@ipfire.org>
In-Reply-To: <20210917201355.3478930-1-adolf.belka@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1836434336612464868=="
List-Id: <development.lists.ipfire.org>

--===============1836434336612464868==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Acked-by: Peter M=C3=BCller <peter.mueller(a)ipfire.org>

> - Update from 1.9.7p2 to 1.9.8p1
> - Update rootfile
> - Changelog
>     Major changes between version 1.9.8 and 1.9.8p1:
>       Fixed support for passing a prompt (sudo -p) or a login class (sudo -=
c) on the
>         command line. This is a regression introduced in sudo 1.9.8. Bug #9=
93.
>       Fixed a crash with sudo ALL rules in the LDAP and SSSD back-ends. Thi=
s is a
>         regression introduced in sudo 1.9.8. Bug #994.
>       Fixed a compilation error when the --enable-static-sudoers configure =
option was
>         specified. This is a regression introduced in sudo 1.9.8 caused by =
a symbol clash
>         with the intercept and log server protobuf functions.
>     Major changes between version 1.9.7p2 and 1.9.8:
>       It is now possible to transparently intercepting sub-commands execute=
d by the
>         original command run via sudo. Intercept support is implemented usi=
ng LD_PRELOAD
>         (or the equivalent supported by the system) and so has some limitat=
ions. The two
>         main limitations are that only dynamic executables are supported an=
d only the
>         execl, execle, execlp, execv, execve, execvp, and execvpe library f=
unctions are
>         currently intercepted. Its main use case is to support restricting =
privileged
>         shells run via sudo.
>       To support this, there is a new intercept Defaults setting and an INT=
ERCEPT command
>         tag that can be used in sudoers. For example:
>           Cmnd_Alias SHELLS=3D/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/=
zsh
>           Defaults!SHELLS intercept
>         would cause sudo to run the listed shells in intercept mode. This c=
an also be set
>         on a per-rule basis. For example:
>           Cmnd_Alias SHELLS=3D/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/=
zsh
>           chuck ALL =3D INTERCEPT: SHELLS
>         would only apply intercept mode to user chuck when running one of t=
he listed shells.
>       In intercept mode, sudo will not prompt for a password before running=
 a sub-command
>         and will not allow a set-user-ID or set-group-ID program to be run =
by default. The
>         new intercept_authenticate and sudoers settings can be used to chan=
ge this behavior.
>       The new log_subcmds sudoers setting can be used to log commands run i=
n a privileged
>         shell. It uses the same mechanism as the intercept support describe=
d above and has
>         the same limitations.
>       Support for logging sudo_logsrvd errors via syslog or to a file. Prev=
iously, most
>         sudo_logsrvd errors were only visible in the debug log.
>       Better diagnostics when there is a TLS certificate validation error.
>       Using the +=3D or -=3D operators in a Defaults setting that takes a s=
tring, not a list,
>         now produces a warning from sudo and a syntax error from inside vis=
udo.
>       Fixed a bug where the iolog_mode setting in sudoers and sudo_logsrvd =
had no effect
>         when creating I/O log parent directories if the I/O log file name e=
nded with the
>         string XXXXXX.
>       Fixed a bug in the sudoers custom prompt code where the size paramete=
r that was
>         passed to the strlcpy() function was incorrect. No overflow was pos=
sible since the
>         correct amount of memory was already pre-allocated.
>       The mksigname and mksiglist helper programs are now built with the ho=
st compiler,
>         not the target compiler, when cross-compiling. Bug #989.
>       Fixed compilation error when the --enable-static-sudoers configure op=
tion was
>         specified. This was due to a typo introduced in sudo 1.9.7. GitHub =
PR #113
>     For more details of the changes then view the ChangeLog file in the sou=
rce tarball
>       or at https://www.sudo.ws/changes.html
>=20
> Signed-off-by: Adolf Belka <adolf.belka(a)ipfire.org>
> ---
>   config/rootfiles/common/sudo | 2 ++
>   lfs/sudo                     | 4 ++--
>   2 files changed, 4 insertions(+), 2 deletions(-)
>=20
> diff --git a/config/rootfiles/common/sudo b/config/rootfiles/common/sudo
> index babdcb484..80e83efa4 100644
> --- a/config/rootfiles/common/sudo
> +++ b/config/rootfiles/common/sudo
> @@ -18,6 +18,8 @@ usr/lib/sudo/group_file.so
>   usr/lib/sudo/libsudo_util.so.0.0.0
>   #usr/lib/sudo/sample_approval.la
>   usr/lib/sudo/sample_approval.so
> +#usr/lib/sudo/sudo_intercept.la
> +usr/lib/sudo/sudo_intercept.so
>   #usr/lib/sudo/sudo_noexec.la
>   usr/lib/sudo/sudo_noexec.so
>   #usr/lib/sudo/sudoers.la
> diff --git a/lfs/sudo b/lfs/sudo
> index a74c34e7e..9fabdfd52 100644
> --- a/lfs/sudo
> +++ b/lfs/sudo
> @@ -24,7 +24,7 @@
>  =20
>   include Config
>  =20
> -VER        =3D 1.9.7p2
> +VER        =3D 1.9.8p1
>  =20
>   THISAPP    =3D sudo-$(VER)
>   DL_FILE    =3D $(THISAPP).tar.gz
> @@ -40,7 +40,7 @@ objects =3D $(DL_FILE)
>  =20
>   $(DL_FILE) =3D $(DL_FROM)/$(DL_FILE)
>  =20
> -$(DL_FILE)_MD5 =3D d6f8217bfd16649236e100c49e0a7cc4
> +$(DL_FILE)_MD5 =3D ae9c8b32268f27d05bcdcb8f0c04d461
>  =20
>   install : $(TARGET)
>  =20
>=20

--===============1836434336612464868==--