diff --git a/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch b/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch new file mode 100644 index 00000000..826e7348 --- /dev/null +++ b/SOURCES/sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch @@ -0,0 +1,161 @@ +From 0f303a2de843c31afb03b558dfb7287be79e6e17 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Thu, 26 Jul 2018 12:31:29 -0600 +Subject: [PATCH] Ignore PAM_NEW_AUTHTOK_REQD and PAM_AUTHTOK_EXPIRED errors + from pam_acct_mgmt() if authentication is disabled for the user. Bug #843 + +--- + plugins/sudoers/auth/bsdauth.c | 2 +- + plugins/sudoers/auth/pam.c | 10 +++++++++- + plugins/sudoers/auth/sudo_auth.c | 4 ++-- + plugins/sudoers/auth/sudo_auth.h | 6 +++--- + plugins/sudoers/check.c | 4 +++- + plugins/sudoers/sudoers.h | 2 +- + 6 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/plugins/sudoers/auth/bsdauth.c b/plugins/sudoers/auth/bsdauth.c +index 444cd337..390263d3 100644 +--- a/plugins/sudoers/auth/bsdauth.c ++++ b/plugins/sudoers/auth/bsdauth.c +@@ -168,7 +168,7 @@ bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_con + } + + int +-bsdauth_approval(struct passwd *pw, sudo_auth *auth) ++bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + struct bsdauth_state *state = auth->data; + debug_decl(bsdauth_approval, SUDOERS_DEBUG_AUTH) +diff --git a/plugins/sudoers/auth/pam.c b/plugins/sudoers/auth/pam.c +index 347289da..a4749448 100644 +--- a/plugins/sudoers/auth/pam.c ++++ b/plugins/sudoers/auth/pam.c +@@ -202,7 +202,7 @@ sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_co + } + + int +-sudo_pam_approval(struct passwd *pw, sudo_auth *auth) ++sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt) + { + const char *s; + int *pam_status = (int *) auth->data; +@@ -217,6 +217,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth) + "is your account locked?")); + debug_return_int(AUTH_FATAL); + case PAM_NEW_AUTHTOK_REQD: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) ++ debug_return_int(AUTH_SUCCESS); ++ /* New password required, try to change it. */ + log_warningx(0, N_("Account or password is " + "expired, reset your password and try again")); + *pam_status = pam_chauthtok(pamh, +@@ -229,6 +233,10 @@ sudo_pam_approval(struct passwd *pw, sudo_auth *auth) + N_("unable to change expired password: %s"), s); + debug_return_int(AUTH_FAILURE); + case PAM_AUTHTOK_EXPIRED: ++ /* Ignore if user is exempt from password restrictions. */ ++ if (exempt) ++ debug_return_int(AUTH_SUCCESS); ++ /* Password expired, cannot be updated by user. */ + log_warningx(0, + N_("Password expired, contact your system administrator")); + debug_return_int(AUTH_FATAL); +diff --git a/plugins/sudoers/auth/sudo_auth.c b/plugins/sudoers/auth/sudo_auth.c +index 6ef9bd72..5d9382dc 100644 +--- a/plugins/sudoers/auth/sudo_auth.c ++++ b/plugins/sudoers/auth/sudo_auth.c +@@ -163,7 +163,7 @@ sudo_auth_init(struct passwd *pw) + * Returns true on success, false on failure and -1 on error. + */ + int +-sudo_auth_approval(struct passwd *pw, int validated) ++sudo_auth_approval(struct passwd *pw, int validated, bool exempt) + { + sudo_auth *auth; + debug_decl(sudo_auth_approval, SUDOERS_DEBUG_AUTH) +@@ -171,7 +171,7 @@ sudo_auth_approval(struct passwd *pw, int validated) + /* Call approval routines. */ + for (auth = auth_switch; auth->name; auth++) { + if (auth->approval && !IS_DISABLED(auth)) { +- int status = (auth->approval)(pw, auth); ++ int status = (auth->approval)(pw, auth, exempt); + if (status != AUTH_SUCCESS) { + /* Assume error msg already printed. */ + log_auth_failure(validated, 0); +diff --git a/plugins/sudoers/auth/sudo_auth.h b/plugins/sudoers/auth/sudo_auth.h +index ea5ed9cd..9ae69cd5 100644 +--- a/plugins/sudoers/auth/sudo_auth.h ++++ b/plugins/sudoers/auth/sudo_auth.h +@@ -31,7 +31,7 @@ typedef struct sudo_auth { + int (*init)(struct passwd *pw, struct sudo_auth *auth); + int (*setup)(struct passwd *pw, char **prompt, struct sudo_auth *auth); + int (*verify)(struct passwd *pw, char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback); +- int (*approval)(struct passwd *pw, struct sudo_auth *auth); ++ int (*approval)(struct passwd *pw, struct sudo_auth *auth, bool exempt); + int (*cleanup)(struct passwd *pw, struct sudo_auth *auth); + int (*begin_session)(struct passwd *pw, char **user_env[], struct sudo_auth *auth); + int (*end_session)(struct passwd *pw, struct sudo_auth *auth); +@@ -56,7 +56,7 @@ extern sudo_conv_t sudo_conv; + /* Prototypes for standalone methods */ + int bsdauth_init(struct passwd *pw, sudo_auth *auth); + int bsdauth_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +-int bsdauth_approval(struct passwd *pw, sudo_auth *auth); ++int bsdauth_approval(struct passwd *pw, sudo_auth *auth, bool exempt); + int bsdauth_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_aix_init(struct passwd *pw, sudo_auth *auth); + int sudo_aix_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback); +@@ -67,7 +67,7 @@ int sudo_fwtk_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_pam_init(struct passwd *pw, sudo_auth *auth); + int sudo_pam_init_quiet(struct passwd *pw, sudo_auth *auth); + int sudo_pam_verify(struct passwd *pw, char *prompt, sudo_auth *auth, struct sudo_conv_callback *callback); +-int sudo_pam_approval(struct passwd *pw, sudo_auth *auth); ++int sudo_pam_approval(struct passwd *pw, sudo_auth *auth, bool exempt); + int sudo_pam_cleanup(struct passwd *pw, sudo_auth *auth); + int sudo_pam_begin_session(struct passwd *pw, char **user_env[], sudo_auth *auth); + int sudo_pam_end_session(struct passwd *pw, sudo_auth *auth); +diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c +index ed49d63a..486a80d8 100644 +--- a/plugins/sudoers/check.c ++++ b/plugins/sudoers/check.c +@@ -175,6 +175,7 @@ check_user(int validated, int mode) + { + struct passwd *auth_pw; + int ret = -1; ++ bool exempt = false; + debug_decl(check_user, SUDOERS_DEBUG_AUTH) + + /* +@@ -194,6 +195,7 @@ check_user(int validated, int mode) + sudo_debug_printf(SUDO_DEBUG_INFO, "%s: %s", __func__, + !def_authenticate ? "authentication disabled" : + "user exempt from authentication"); ++ exempt = true; + ret = true; + goto done; + } +@@ -218,7 +220,7 @@ check_user(int validated, int mode) + done: + if (ret == true) { + /* The approval function may disallow a user post-authentication. */ +- ret = sudo_auth_approval(auth_pw, validated); ++ ret = sudo_auth_approval(auth_pw, validated, exempt); + } + sudo_auth_cleanup(auth_pw); + sudo_pw_delref(auth_pw); +diff --git a/plugins/sudoers/sudoers.h b/plugins/sudoers/sudoers.h +index 57db74c1..956cb084 100644 +--- a/plugins/sudoers/sudoers.h ++++ b/plugins/sudoers/sudoers.h +@@ -265,7 +265,7 @@ int verify_user(struct passwd *pw, char *prompt, int validated, struct sudo_conv + int sudo_auth_begin_session(struct passwd *pw, char **user_env[]); + int sudo_auth_end_session(struct passwd *pw); + int sudo_auth_init(struct passwd *pw); +-int sudo_auth_approval(struct passwd *pw, int validated); ++int sudo_auth_approval(struct passwd *pw, int validated, bool exempt); + int sudo_auth_cleanup(struct passwd *pw); + + /* set_perms.c */ +-- +2.13.6 + diff --git a/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch new file mode 100644 index 00000000..25bbfe96 --- /dev/null +++ b/SOURCES/sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch @@ -0,0 +1,70 @@ +diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok +--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok.defaults-double-quote-fix 2018-09-24 18:10:37.235000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.json.ok 2018-09-24 18:11:40.153000000 +0200 +@@ -34,7 +34,7 @@ + }, + { + "Binding": [ +- { "username": "%them" } ++ { "usergroup": "them" } + ], + "Options": [ + { "set_home": true } +@@ -42,7 +42,7 @@ + }, + { + "Binding": [ +- { "username": "%: non UNIX 0 c" } ++ { "nonunixgroup": " non UNIX 0 c" } + ], + "Options": [ + { "set_home": true } +@@ -50,7 +50,7 @@ + }, + { + "Binding": [ +- { "username": "+net" } ++ { "netgroup": "net" } + ], + "Options": [ + { "set_home": true } +diff -up sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok +--- sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok.defaults-double-quote-fix 2018-09-24 18:10:25.216000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/regress/sudoers/test2.toke.ok 2018-09-24 18:11:45.213000000 +0200 +@@ -29,9 +29,9 @@ DEFAULTS_HOST BEGINSTR STRBODY ENDSTR WO + # + DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR + DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +-DEFAULTS_USER BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR USERGROUP DEFVAR ++DEFAULTS_USER BEGINSTR STRBODY ENDSTR NETGROUP DEFVAR + + # + DEFAULTS_RUNAS BEGINSTR STRBODY ENDSTR WORD(4) DEFVAR +diff -up sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.c +--- sudo-1.8.23/plugins/sudoers/toke.c.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/toke.c 2018-09-24 18:06:15.527000000 +0200 +@@ -2395,7 +2395,7 @@ YY_RULE_SETUP + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || +diff -up sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix sudo-1.8.23/plugins/sudoers/toke.l +--- sudo-1.8.23/plugins/sudoers/toke.l.defaults-double-quote-fix 2018-04-29 21:59:23.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/toke.l 2018-09-24 18:06:15.528000000 +0200 +@@ -187,7 +187,7 @@ DEFVAR [a-z_]+ + LEXTRACE("ERROR "); /* empty string */ + LEXRETURN(ERROR); + } +- if (prev_state == INITIAL) { ++ if (prev_state == INITIAL || prev_state == GOTDEFS) { + switch (sudoerslval.string[0]) { + case '%': + if (sudoerslval.string[1] == '\0' || diff --git a/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch new file mode 100644 index 00000000..9698d233 --- /dev/null +++ b/SOURCES/sudo-1.8.23-ldapsearchuidfix.patch @@ -0,0 +1,27 @@ +diff -up sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix sudo-1.8.23/plugins/sudoers/ldap.c +--- sudo-1.8.23/plugins/sudoers/ldap.c.ldapsearchuidfix 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/ldap.c 2018-06-18 08:34:01.202686941 +0200 +@@ -1189,8 +1189,8 @@ sudo_ldap_build_pass1(LDAP *ld, struct p + if (ldap_conf.search_filter) + sz += strlen(ldap_conf.search_filter); + +- /* Then add (|(sudoUser=USERNAME)(sudoUser=ALL)) + NUL */ +- sz += 29 + sudo_ldap_value_len(pw->pw_name); ++ /* Then add (|(sudoUser=USERNAME)(sudoUser=#uid)(sudoUser=ALL)) + NUL */ ++ sz += 29 + (12 + MAX_UID_T_LEN) + sudo_ldap_value_len(pw->pw_name); + + /* Add space for primary and supplementary groups and gids */ + if ((grp = sudo_getgrgid(pw->pw_gid)) != NULL) { +@@ -1253,6 +1253,12 @@ sudo_ldap_build_pass1(LDAP *ld, struct p + CHECK_LDAP_VCAT(buf, pw->pw_name, sz); + CHECK_STRLCAT(buf, ")", sz); + ++ /* Append user uid */ ++ (void) snprintf(gidbuf, sizeof(gidbuf), "%u", (unsigned int)pw->pw_uid); ++ (void) strlcat(buf, "(sudoUser=#", sz); ++ (void) strlcat(buf, gidbuf, sz); ++ (void) strlcat(buf, ")", sz); ++ + /* Append primary group and gid */ + if (grp != NULL) { + CHECK_STRLCAT(buf, "(sudoUser=%", sz); diff --git a/SOURCES/sudo-1.8.23-legacy-group-processing.patch b/SOURCES/sudo-1.8.23-legacy-group-processing.patch new file mode 100644 index 00000000..f838215e --- /dev/null +++ b/SOURCES/sudo-1.8.23-legacy-group-processing.patch @@ -0,0 +1,89 @@ +diff -up sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/cvtsudoers.c +--- sudo-1.8.23/plugins/sudoers/cvtsudoers.c.legacy-group-processing 2018-06-28 11:24:25.966475241 +0200 ++++ sudo-1.8.23/plugins/sudoers/cvtsudoers.c 2018-06-28 11:26:40.215025493 +0200 +@@ -321,6 +321,15 @@ main(int argc, char *argv[]) + sudo_fatalx("error: unhandled input %d", input_format); + } + ++ /* ++ * cvtsudoers group filtering doesn't work if def_match_group_by_gid ++ * is set to true by default (at compile-time). It cannot be set to false ++ * because cvtsudoers doesn't apply the parsed Defaults. ++ * ++ * Related: sudo-1.8.23-legacy-group-processing.patch ++ */ ++ def_match_group_by_gid = def_legacy_group_processing = false; ++ + /* Apply filters. */ + filter_userspecs(conf); + filter_defaults(conf); +diff -up sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/defaults.c +--- sudo-1.8.23/plugins/sudoers/defaults.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/defaults.c 2018-06-28 11:24:25.966475241 +0200 +@@ -87,6 +87,7 @@ static struct early_default early_defaul + { I_FQDN }, + #endif + { I_MATCH_GROUP_BY_GID }, ++ { I_LEGACY_GROUP_PROCESSING }, + { I_GROUP_PLUGIN }, + { I_RUNAS_DEFAULT }, + { I_SUDOERS_LOCALE }, +@@ -488,6 +489,8 @@ init_defaults(void) + } + + /* First initialize the flags. */ ++ def_legacy_group_processing = true; ++ def_match_group_by_gid = true; + #ifdef LONG_OTP_PROMPT + def_long_otp_prompt = true; + #endif +diff -up sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.c +--- sudo-1.8.23/plugins/sudoers/def_data.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-28 11:24:25.966475241 +0200 +@@ -494,6 +494,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Ignore case when matching group names"), + NULL, + }, { ++ "legacy_group_processing", T_FLAG, ++ N_("Don't pre-resolve all group names"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.h +--- sudo-1.8.23/plugins/sudoers/def_data.h.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-28 11:24:25.967475238 +0200 +@@ -226,6 +226,8 @@ + #define def_case_insensitive_user (sudo_defs_table[I_CASE_INSENSITIVE_USER].sd_un.flag) + #define I_CASE_INSENSITIVE_GROUP 113 + #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) ++#define I_LEGACY_GROUP_PROCESSING 114 ++#define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) + + enum def_tuple { + never, +diff -up sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing sudo-1.8.23/plugins/sudoers/def_data.in +--- sudo-1.8.23/plugins/sudoers/def_data.in.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-28 11:24:25.967475238 +0200 +@@ -357,3 +357,6 @@ case_insensitive_user + case_insensitive_group + T_FLAG + "Ignore case when matching group names" ++legacy_group_processing ++ T_FLAG ++ "Don't pre-resolve all group names" +diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing sudo-1.8.23/plugins/sudoers/sudoers.c +--- sudo-1.8.23/plugins/sudoers/sudoers.c.legacy-group-processing 2018-04-29 21:59:31.000000000 +0200 ++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-28 11:24:25.967475238 +0200 +@@ -209,6 +209,10 @@ sudoers_policy_init(void *info, char * c + if (set_loginclass(runas_pw ? runas_pw : sudo_user.pw)) + ret = true; + ++ if (!def_match_group_by_gid || !def_legacy_group_processing) { ++ def_match_group_by_gid = false; ++ def_legacy_group_processing = false; ++ } + cleanup: + if (!restore_perms()) + ret = -1; diff --git a/SOURCES/sudo-1.8.23-nowaitopt.patch b/SOURCES/sudo-1.8.23-nowaitopt.patch new file mode 100644 index 00000000..64063964 --- /dev/null +++ b/SOURCES/sudo-1.8.23-nowaitopt.patch @@ -0,0 +1,61 @@ +diff -up sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.c +--- sudo-1.8.23/plugins/sudoers/def_data.c.nowaitopt 2018-06-18 09:36:34.249307795 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.c 2018-06-18 09:43:12.122986032 +0200 +@@ -498,6 +498,10 @@ struct sudo_defs_types sudo_defs_table[] + N_("Don't pre-resolve all group names"), + NULL, + }, { ++ "cmnd_no_wait", T_FLAG, ++ N_("Don't fork and wait for the command to finish, just exec it"), ++ NULL, ++ }, { + NULL, 0, NULL + } + }; +diff -up sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.h +--- sudo-1.8.23/plugins/sudoers/def_data.h.nowaitopt 2018-06-18 09:36:34.250307792 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.h 2018-06-18 09:43:44.541878327 +0200 +@@ -228,6 +228,8 @@ + #define def_case_insensitive_group (sudo_defs_table[I_CASE_INSENSITIVE_GROUP].sd_un.flag) + #define I_LEGACY_GROUP_PROCESSING 114 + #define def_legacy_group_processing (sudo_defs_table[I_LEGACY_GROUP_PROCESSING].sd_un.flag) ++#define I_CMND_NO_WAIT 115 ++#define def_cmnd_no_wait (sudo_defs_table[I_CMND_NO_WAIT].sd_un.flag) + + enum def_tuple { + never, +diff -up sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt sudo-1.8.23/plugins/sudoers/def_data.in +--- sudo-1.8.23/plugins/sudoers/def_data.in.nowaitopt 2018-06-18 09:36:34.250307792 +0200 ++++ sudo-1.8.23/plugins/sudoers/def_data.in 2018-06-18 09:45:00.076627403 +0200 +@@ -360,3 +360,6 @@ case_insensitive_group + legacy_group_processing + T_FLAG + "Don't pre-resolve all group names" ++cmnd_no_wait ++ T_FLAG ++ "Don't fork and wait for the command to finish, just exec it" +diff -up sudo-1.8.23/plugins/sudoers/policy.c.nowaitopt sudo-1.8.23/plugins/sudoers/policy.c +diff -up sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt sudo-1.8.23/plugins/sudoers/sudoers.c +--- sudo-1.8.23/plugins/sudoers/sudoers.c.nowaitopt 2018-06-18 11:31:51.883751328 +0200 ++++ sudo-1.8.23/plugins/sudoers/sudoers.c 2018-06-18 11:31:03.670899166 +0200 +@@ -213,6 +213,20 @@ sudoers_policy_init(void *info, char * c + def_match_group_by_gid = false; + def_legacy_group_processing = false; + } ++ ++ /* ++ * Emulate cmnd_no_wait option by disabling PAM session, PTY allocation ++ * and I/O logging. This will cause sudo to execute the given command ++ * directly instead of forking a separate process for it. ++ */ ++ if (def_cmnd_no_wait) { ++ def_pam_setcred = false; ++ def_pam_session = false; ++ def_use_pty = false; ++ def_log_input = false; ++ def_log_output = false; ++ } ++ + cleanup: + if (!restore_perms()) + ret = -1; diff --git a/SOURCES/sudo-1.8.23-sudoldapconfman.patch b/SOURCES/sudo-1.8.23-sudoldapconfman.patch new file mode 100644 index 00000000..3b52ea87 --- /dev/null +++ b/SOURCES/sudo-1.8.23-sudoldapconfman.patch @@ -0,0 +1,32 @@ +diff -up sudo-1.8.23/doc/Makefile.in.sudoldapconfman sudo-1.8.23/doc/Makefile.in +--- sudo-1.8.23/doc/Makefile.in.sudoldapconfman 2018-05-23 13:38:08.347538854 +0200 ++++ sudo-1.8.23/doc/Makefile.in 2018-05-23 13:38:12.806523146 +0200 +@@ -345,10 +345,16 @@ install-doc: install-dirs + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + echo ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ + ln -s sudo.$(mansectsu)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu)$(MANCOMPRESSEXT); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ echo ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ ++ ln -s sudoers.ldap.$(mansectform)$(MANCOMPRESSEXT) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform)$(MANCOMPRESSEXT); \ + else \ + rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + echo ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ + ln -s sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu); \ ++ rm -f $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ echo ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ ++ ln -s sudoers.ldap.$(mansectform) $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform); \ + fi + + install-plugin: +@@ -363,8 +369,9 @@ uninstall: + $(DESTDIR)$(mandirsu)/visudo.$(mansectsu) \ + $(DESTDIR)$(mandirform)/sudo.conf.$(mansectform) \ + $(DESTDIR)$(mandirform)/sudoers.$(mansectform) \ +- $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) +- $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) ++ $(DESTDIR)$(mandirform)/sudoers_timestamp.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudoers.ldap.$(mansectform) \ ++ $(DESTDIR)$(mandirform)/sudo-ldap.conf.$(mansectform) + + splint: + diff --git a/SOURCES/sudoers b/SOURCES/sudoers index 2fdc62f1..93e02ba0 100644 --- a/SOURCES/sudoers +++ b/SOURCES/sudoers @@ -64,6 +64,14 @@ Defaults !visiblepw Defaults always_set_home Defaults match_group_by_gid +# Prior to version 1.8.15, groups listed in sudoers that were not +# found in the system group database were passed to the group +# plugin, if any. Starting with 1.8.15, only groups of the form +# %:group are resolved via the group plugin by default. +# We enable always_query_group_plugin to restore old behavior. +# Disable this option for new behavior. +Defaults always_query_group_plugin + Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" diff --git a/SPECS/sudo.spec b/SPECS/sudo.spec index 39e3cc2b..2dd01957 100644 --- a/SPECS/sudo.spec +++ b/SPECS/sudo.spec @@ -1,7 +1,7 @@ Summary: Allows restricted root access for specified users Name: sudo -Version: 1.8.19p2 -Release: 13%{?dist} +Version: 1.8.23 +Release: 3%{?dist} License: ISC Group: Applications/System URL: http://www.courtesan.com/sudo/ @@ -9,72 +9,48 @@ Source0: http://www.courtesan.com/sudo/dist/sudo-%{version}.tar.gz Source1: sudoers Source2: sudo-ldap.conf Source3: sudo.conf -Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) -Requires: /etc/pam.d/system-auth, vim-minimal, libgcrypt +Requires: /etc/pam.d/system-auth +Requires: /usr/bin/vi -BuildRequires: pam-devel -BuildRequires: groff -BuildRequires: openldap-devel -BuildRequires: flex +BuildRequires: /usr/sbin/sendmail +BuildRequires: autoconf +BuildRequires: automake BuildRequires: bison -BuildRequires: automake autoconf libtool -BuildRequires: audit-libs-devel libcap-devel +BuildRequires: flex +BuildRequires: gettext +BuildRequires: groff +BuildRequires: libtool +BuildRequires: audit-libs-devel +BuildRequires: libcap-devel +BuildRequires: libgcrypt-devel BuildRequires: libgcrypt-devel BuildRequires: libselinux-devel -BuildRequires: /usr/sbin/sendmail -BuildRequires: gettext +BuildRequires: openldap-devel +BuildRequires: pam-devel BuildRequires: zlib-devel -BuildRequires: libgcrypt-devel # don't strip Patch1: sudo-1.6.7p5-strip.patch # configure.in fix Patch2: sudo-1.7.2p1-envdebug.patch -# 840980 - sudo creates a new parent process -# Adds cmnd_no_wait Defaults option -Patch3: sudo-1.8.6p3-nowaitopt.patch # 881258 - rpmdiff: added missing sudo-ldap.conf manpage -Patch4: sudo-1.8.6p7-sudoldapconfman.patch -# 1092499 - Regression in sudo 1.8.6p3-7 package, double quotes are not accepted in sudoers -Patch5: sudo-1.8.6p3-doublequotefix.patch -# 1183818 - backport of command digest specification feature -Patch6: sudo-1.8.6p7-digest-backport.patch +Patch3: sudo-1.8.23-sudoldapconfman.patch +# 1247591 - Sudo taking a long time when user information is stored externally. +Patch4: sudo-1.8.23-legacy-group-processing.patch # 1135539 - sudo with ldap doesn't work with 'user id' in sudoUser option -Patch7: sudo-1.8.6p7-ldapsearchuidfix.patch +Patch5: sudo-1.8.23-ldapsearchuidfix.patch # 1312486 - RHEL7 sudo logs username "root" instead of realuser in /var/log/secure -Patch8: sudo-1.8.6p7-logsudouser.patch -# fix upstream testsuite - disabling 2 tests, working only with non-root user -Patch9: sudo-1.8.18-testsuitefix.patch -# 1413160 - backport ignore_unknown_defaults flag -Patch10: sudo-1.8.19p2-ignore-unknown-defaults.patch -# 1424575 - backport visudo severity of the message -Patch11: sudo-1.8.19p2-error-warning-visudo-message.patch -# 1369856 - synchronous (real-time) writes in sudo i/o logs -Patch12: sudo-1.8.19p2-iologflush.patch -# 1293306 - Sudo group lookup issue. -Patch13: sudo-1.8.19p2-lookup-issue-doc.patch -# 1360687 - sudo rhel-7 rebase - comment11 -Patch14: sudo-1.8.19p2-upstream-testsuitefix.patch -# 1360687 - sudo rhel-7 rebase - comment13 -Patch15: sudo-1.8.19p2-fqdn-use-after-free.patch -# 1360687 - sudo rhel-7 rebase - comment13 -Patch16: sudo-1.8.19p2-lecture-boolean.patch -# 1455402 - CVE-2017-1000367: Privilege escalation in via improper get_process_ttyname() parsing -Patch17: sudo-1.8.19p2-get_process_ttyname.patch -# 1459152 - CVE-2017-1000368: Privilege escalation via improper get_process_ttyname() parsing (insufficient fix for CVE-2017-1000367) -Patch18: sudo-1.8.19p2-CVE-2017-1000368.patch -# 1485397 - sudo breaking who ldap and local users after upgrade -Patch19: sudo-1.8.21-ldap-pass2-filter.patch -# 1458696 - successful sudo -l returns non-zero if asking for other user -Patch20: sudo-1.8.19p2-display-privs.patch -# 1454571 - Sudo, with I/O Logging log_output option enabled, truncate output in case of cycle over standard input -Patch21: sudo-1.8.19p2-iologtruncate.patch -# 1490358 - Update use_pty and IO logging man page -Patch22: sudo-1.8.19p2-manpage-use_pty.patch -# 1505409 - Regression in "sudo -l" when using IPA / sssd -Patch23: sudo-1.8.19p2-sudo-l-sssd.patch -# 1518104 - sudo crashed: double free or corruption (fasttop) -Patch24: sudo-1.8.19p2-sssd-double-free.patch +Patch6: sudo-1.8.6p7-logsudouser.patch +# 840980 - sudo creates a new parent process +# Adds cmnd_no_wait Defaults option +Patch7: sudo-1.8.23-nowaitopt.patch +# 1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers +# This is fix of a regression in the referenced feature request. It was fixed +# in newer versions of sudo and we backport it to prevent future regression +# bz in RHEL. The feature itself was delivered via the rebase to 1.8.23. +Patch8: sudo-1.8.23-Ignore-PAM_NEW_AUTHTOK_REQD-and-PAM_AUTHTOK_EXPIRED.patch +# 1547974 - (sudo-rhel-7.6-rebase) Rebase sudo to latest stable upstream version +Patch9: sudo-1.8.23-fix-double-quote-parsing-for-Defaults-values.patch %description Sudo (superuser do) allows a system administrator to give certain @@ -101,28 +77,13 @@ plugins that use %{name}. %patch1 -p1 -b .strip %patch2 -p1 -b .envdebug -%patch3 -p1 -b .nowaitopt -%patch4 -p1 -b .sudoldapconfman -%patch5 -p1 -b .doublequotefix -%patch6 -p1 -b .digest-backport -%patch7 -p1 -b .ldapsearchuidfix -%patch8 -p1 -b .logsudouser -%patch9 -p1 -b .testsuite -%patch10 -p1 -b .ignoreunknowndefaults -%patch11 -p1 -b .errorwarningvisudomsg -%patch12 -p1 -b .iologflush -%patch13 -p1 -b .lookup -%patch14 -p1 -b .testsuite -%patch15 -p1 -b .fqdnafterfree -%patch16 -p1 -b .lecture -%patch17 -p1 -b .get_process_ttyname -%patch18 -p1 -b .CVE-2017-1000368 -%patch19 -p1 -b .ldap-pass2-filter -%patch20 -p1 -b .display-privs -%patch21 -p1 -b .iologtruncate -%patch22 -p1 -b .manpage -%patch23 -p1 -b .sudo-l -%patch24 -p1 -b .double-free +%patch3 -p1 -b .sudoldapconfman +%patch4 -p1 -b .legacy-group-processing +%patch5 -p1 -b .ldapsearchuidfix +%patch6 -p1 -b .logsudouser +%patch7 -p1 -b .nowaitopt +%patch8 -p1 -b .pam-mgmt-ignore-errors +%patch9 -p1 -b .defaults-double-quote-fix %build autoreconf -I m4 -fv --install @@ -144,9 +105,9 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL --with-logfac=authpriv \ --with-pam \ --with-pam-login \ - --with-editor=/bin/vi \ + --with-editor=/usr/bin/vi \ --with-env-editor \ - --with-gcrypt \ + --enable-gcrypt \ --with-ignore-dot \ --with-tty-tickets \ --with-ldap \ @@ -155,32 +116,33 @@ export CFLAGS="$RPM_OPT_FLAGS $F_PIE" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now" SHL --with-passprompt="[sudo] password for %p: " \ --with-linux-audit \ --with-sssd -# --without-kerb5 \ -# --without-kerb4 + make +%check make check %install -rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} # Update README.LDAP (#736653) sed -i 's|/etc/ldap\.conf|%{_sysconfdir}/sudo-ldap.conf|g' README.LDAP -make install DESTDIR="$RPM_BUILD_ROOT" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` -chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* -install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo -install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured -install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d -install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers -install -p -c -m 0640 %{SOURCE3} $RPM_BUILD_ROOT/etc/sudo.conf -install -p -c -m 0640 %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sudo-ldap.conf +make install DESTDIR="%{buildroot}" install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g` + +chmod 755 %{buildroot}%{_bindir}/* %{buildroot}%{_sbindir}/* +install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo +install -p -d -m 700 %{buildroot}%{_localstatedir}/db/sudo/lectured +install -p -d -m 750 %{buildroot}%{_sysconfdir}/sudoers.d +install -p -c -m 0440 %{SOURCE1} %{buildroot}%{_sysconfdir}/sudoers +install -p -c -m 0640 %{SOURCE3} %{buildroot}%{_sysconfdir}/sudo.conf +install -p -c -m 0640 %{SOURCE2} %{buildroot}%{_sysconfdir}/sudo-ldap.conf -# Remove execute permission on this script so we don't pull in perl deps -chmod -x $RPM_BUILD_ROOT%{_docdir}/sudo-*/sudoers2ldif +# Remove upstream sudoers file +rm -f %{buildroot}%{_sysconfdir}/sudoers.dist -#Remove all .la files -find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' +# Remove all .la files +find %{buildroot} -name '*.la' -exec rm -f {} ';' %find_lang sudo %find_lang sudoers @@ -188,42 +150,44 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';' cat sudo.lang sudoers.lang > sudo_all.lang rm sudo.lang sudoers.lang -mkdir -p $RPM_BUILD_ROOT/etc/pam.d -cat > $RPM_BUILD_ROOT/etc/pam.d/sudo << EOF +mkdir -p %{buildroot}%{_sysconfdir}/pam.d +cat > %{buildroot}%{_sysconfdir}/pam.d/sudo << EOF #%%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so +session include system-auth EOF -cat > $RPM_BUILD_ROOT/etc/pam.d/sudo-i << EOF +cat > %{buildroot}%{_sysconfdir}/pam.d/sudo-i << EOF #%%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so +session include sudo EOF - %clean -rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} %files -f sudo_all.lang %defattr(-,root,root) -%attr(0440,root,root) %config(noreplace) /etc/sudoers -%attr(0640,root,root) %config(noreplace) /etc/sudo.conf +%attr(0440,root,root) %config(noreplace) %{_sysconfdir}/sudoers +%attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf %attr(0640,root,root) %config(noreplace) %{_sysconfdir}/sudo-ldap.conf -%attr(0750,root,root) %dir /etc/sudoers.d/ -%config(noreplace) /etc/pam.d/sudo -%config(noreplace) /etc/pam.d/sudo-i +%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d/ +%config(noreplace) %{_sysconfdir}/pam.d/sudo +%config(noreplace) %{_sysconfdir}/pam.d/sudo-i %attr(0644,root,root) %{_tmpfilesdir}/sudo.conf -%dir /var/db/sudo -%dir /var/db/sudo/lectured +%dir %{_localstatedir}/db/sudo +%dir %{_localstatedir}/db/sudo/lectured %attr(4111,root,root) %{_bindir}/sudo %{_bindir}/sudoedit +%{_bindir}/cvtsudoers %attr(0111,root,root) %{_bindir}/sudoreplay %attr(0755,root,root) %{_sbindir}/visudo %attr(0755,root,root) %{_libexecdir}/sudo/sesh @@ -242,13 +206,14 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudoedit.8* %{_mandir}/man8/sudoreplay.8* %{_mandir}/man8/visudo.8* +%{_mandir}/man1/cvtsudoers.1.gz +%{_mandir}/man5/sudoers_timestamp.5.gz %dir %{_docdir}/sudo-%{version} %{_docdir}/sudo-%{version}/* - # Make sure permissions are ok even if we're updating %post -/bin/chmod 0440 /etc/sudoers || : +/bin/chmod 0440 %{_sysconfdir}/sudoers || : %files devel %defattr(-,root,root,-) @@ -257,6 +222,26 @@ rm -rf $RPM_BUILD_ROOT %{_mandir}/man8/sudo_plugin.8* %changelog +* Mon Sep 24 2018 Daniel Kopecek 1.8.23-3 +- RHEL-7.6 erratum + Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version + +* Fri Sep 21 2018 Daniel Kopecek 1.8.23-2 +- RHEL-7.6 erratum + Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers + Resolves: rhbz#1506025 - Latest update broke sudo for ldap users. + Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets + +* Thu Jun 28 2018 Daniel Kopecek 1.8.23-1 +- RHEL-7.6 erratum + Resolves: rhbz#1547974 - Rebase sudo to latest stable upstream version (1.8.23) + Resolves: rhbz#1502630 - inclusion of system-auth for session hooks missing in sudo PAM snippets + Resolves: rhbz#1506025 - Latest update broke sudo for ldap users. + Resolves: rhbz#1533964 - sudo skips PAM account module in case NOPASSWD is used in sudoers + Resolves: rhbz#1548380 - RFE: Create flag to filter to sudo -l output + Resolves: rhbz#1510002 - Ensure that the command input (stdin) eating behaviour of Default log_input is documented + Resolves: rhbz#1596032 - Why does sudo package depend on vim-minimal? + * Thu Nov 30 2017 Radovan Sroka 1.8.19p2-13 - RHEL 7.5 erratum - Fixed sudo -l checking results whether user should be authenticated @@ -333,11 +318,11 @@ rm -rf $RPM_BUILD_ROOT * Wed Mar 08 2017 Tomas Sykora - 1.8.19p2-2 - RHEL 7.4 erratum -- Fixes coverity scan issues created by our patches: +- Fixes coverity scan issues created by our patches: - fixed resource leaks and a compiler warning in digest backport patch - removed needless code from cmnd_no_wait patch causing clang warning - format of the last changelog message causes problems to rhpkg push, - so don't use that as a commit message + so don't use that as a commit message Resolves: rhbz#1360687 * Wed Mar 01 2017 Tomas Sykora - 1.8.19p2-1 @@ -346,7 +331,7 @@ rm -rf $RPM_BUILD_ROOT - Resolves: rhbz#1123526 - performance improvement - Resolves: rhbz#1308789 - add MAIL and NOMAIL tags - Resolves: rhbz#1348504 - sudo now parses sudoers with sudoers locale - - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command + - Resolves: rhbz#1374417 - "sudo -l command" indicated that the command was runnable even if denied by sudoers when using LDAP or SSSD backend. - Resolves: rhbz#1387303 - add ignore_iolog_errors option - Resolves: rhbz#1389360 - wrong log file group ownership @@ -553,7 +538,7 @@ rm -rf $RPM_BUILD_ROOT * Thu May 17 2012 Daniel Kopecek - 1.8.5-1 - update to 1.8.5 - fixed CVE-2012-2337 -- temporarily disabled SSSD support +- temporarily disabled SSSD support * Wed Feb 29 2012 Daniel Kopecek - 1.8.3p1-6 - fixed problems with undefined symbols (rhbz#798517) @@ -572,7 +557,7 @@ rm -rf $RPM_BUILD_ROOT * Thu Nov 10 2011 Daniel Kopecek - 1.8.3p1-1 - update to 1.8.3p1 -- disable output word wrapping if the output is piped +- disable output word wrapping if the output is piped * Wed Sep 7 2011 Peter Robinson - 1.8.1p2-2 - Remove execute bit from sample script in docs so we don't pull in perl @@ -707,7 +692,7 @@ rm -rf $RPM_BUILD_ROOT - sparc64 needs to be in the -fPIE list with s390 * Mon Jan 07 2008 Peter Vrabec 1.6.9p4-5 -- fix complains about audit_log_user_command(): Connection +- fix complains about audit_log_user_command(): Connection refused (#401201) * Wed Dec 05 2007 Release Engineering - 1.6.9p4-4 @@ -809,7 +794,7 @@ rm -rf $RPM_BUILD_ROOT - rebuild * Mon Oct 4 2004 Thomas Woerner 1.6.7p5-30.1 -- added missing BuildRequires for libselinux-devel (#132883) +- added missing BuildRequires for libselinux-devel (#132883) * Wed Sep 29 2004 Dan Walsh 1.6.7p5-30 - Fix missing param error in sesh @@ -836,7 +821,7 @@ rm -rf $RPM_BUILD_ROOT exec of child with SELinux patch * Thu Mar 18 2004 Dan Walsh 1.6.7p5-23 -- change to default to sysadm_r +- change to default to sysadm_r - Fix tty handling * Thu Mar 18 2004 Dan Walsh 1.6.7p5-22 @@ -844,7 +829,7 @@ rm -rf $RPM_BUILD_ROOT - replace /bin/bash -c with /bin/sesh * Tue Mar 16 2004 Dan Walsh 1.6.7p5-21 -- Hard code to use "/bin/bash -c" for selinux +- Hard code to use "/bin/bash -c" for selinux * Tue Mar 16 2004 Dan Walsh 1.6.7p5-20 - Eliminate closing and reopening of terminals, to match su. @@ -869,7 +854,7 @@ rm -rf $RPM_BUILD_ROOT - Fix is_selinux_enabled call * Tue Jan 13 2004 Dan Walsh 1.6.7p5-13 -- Clean up patch on failure +- Clean up patch on failure * Tue Jan 6 2004 Dan Walsh 1.6.7p5-12 - Remove sudo.te for now. @@ -992,7 +977,7 @@ rm -rf $RPM_BUILD_ROOT - fixed so it doesn't find /usr/bin/vi first, but instead /bin/vi (always installed) * Thu Oct 08 1998 Michael Maher -- built package for 5.2 +- built package for 5.2 * Mon May 18 1998 Michael Maher - updated SPEC file @@ -1004,9 +989,10 @@ rm -rf $RPM_BUILD_ROOT - built for glibc, no problems * Fri Apr 25 1997 Michael Fulbright -- Fixed for 4.2 PowerTools +- Fixed for 4.2 PowerTools - Still need to be pamified - Still need to move stmp file to /var/log * Mon Feb 17 1997 Michael Fulbright - First version for PowerCD. +