--- sudo-1.6.9p17.orig/sudo.pod +++ sudo-1.6.9p17/sudo.pod @@ -378,8 +378,8 @@ To prevent command spoofing, B checks "." and "" (both denoting current directory) last when searching for a command in the user's PATH (if one or both are in the PATH). Note, however, that the -actual C environment variable is I modified and is passed -unchanged to the program that B executes. +C environment variable is further modified in Debian because of +the use of the I build option. B will check the ownership of its timestamp directory (F<@timedir@> by default) and ignore the directory's contents if @@ -519,6 +519,10 @@ L, L, L, L +The file /usr/share/doc/sudo/OPTIONS describes the options used for building +the Debian version of sudo, some of which change default behaviors documented +elsewhere in this document. + =head1 AUTHORS Many people have worked on B over the years; this --- sudo-1.6.9p17.orig/sudoers.pod +++ sudo-1.6.9p17/sudoers.pod @@ -93,7 +93,7 @@ Cmnd_Alias ::= NAME '=' Cmnd_List - NAME ::= [A-Z]([A-Z][0-9]_)* + NAME ::= [A-Z]([a-z][A-Z][0-9]_)* Each I definition is of the form @@ -437,12 +437,36 @@ =over 16 -=item always_set_home +=item mail_badpass -If set, B will set the C environment variable to the home -directory of the target user (which is root unless the B<-u> option is used). -This effectively means that the B<-H> flag is always implied. -This flag is I by default. +Send mail to the I user if the user running B does not +enter the correct password. This flag is I by default. + +=item mail_no_host + +If set, mail will be sent to the I user if the invoking +user exists in the I file, but is not allowed to run +commands on the current host. This flag is I<@mail_no_host@> by default. + +=item mail_no_perms + +If set, mail will be sent to the I user if the invoking +user is allowed to use B but the command they are trying is not +listed in their I file entry or is explicitly denied. +This flag is I<@mail_no_perms@> by default. + +=item mail_no_user + +If set, mail will be sent to the I user if the invoking +user is not in the I file. This flag is I<@mail_no_user@> +by default. + +=item noexec + +If set, all commands run via B will behave as if the C +tag has been set, unless overridden by a C tag. See the +description of I below as well as the L section at the end of this manual. This flag is I by default. =item authenticate @@ -1001,7 +1025,10 @@ =item env_delete -Environment variables to be removed from the user's environment. + +Not effective due to security issues: only variables listed in +I or I can be passed through B! + The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and @@ -1013,8 +1040,8 @@ =item env_keep -Environment variables to be preserved in the user's environment -when the I option is in effect. This allows fine-grained +Environment variables to be preserved in the user's environment. +This allows fine-grained control over the environment B-spawned processes will receive. The argument may be a double-quoted, space-separated list or a single value without double-quotes. The list can be replaced, added @@ -1062,6 +1089,15 @@ Below are example I entries. Admittedly, some of these are a bit contrived. First, we define our I: +Below are example I entries. Admittedly, some of +these are a bit contrived. First, we allow a few environment +variables to pass and then define our I: + + # Run X applications through sudo; HOME is used to find .Xauthority file + # Note that some programs may use HOME for other purposes too and + # this may lead to privilege escalation! + Defaults env_keep = "DISPLAY HOME" + # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy User_Alias PARTTIMERS = bostley, jwfox, crawl --- sudo-1.6.9p17.orig/config.sub +++ sudo-1.6.9p17/config.sub @@ -148,7 +148,7 @@ -convergent* | -ncr* | -news | -32* | -3600* | -3100* | -hitachi* |\ -c[123]* | -convex* | -sun | -crds | -omron* | -dg | -ultra | -tti* | \ -harris | -dolphin | -highlevel | -gould | -cbm | -ns | -masscomp | \ - -apple | -axis | -knuth | -cray | -sr2201*) + -apple | -axis | -knuth | -cray) os= basic_machine=$1 ;; @@ -583,10 +583,6 @@ basic_machine=h8500-hitachi os=-hms ;; - sr2201*) - basic_machine=harp1e-hitachi - os=-hiuxmpp - ;; harris) basic_machine=m88k-harris os=-sysv3 --- sudo-1.6.9p17.orig/sudoers.man.in +++ sudo-1.6.9p17/sudoers.man.in @@ -917,6 +917,12 @@ .el .IP "\f(CW%u\fR" 4 .IX Item "%u" expanded to the invoking user's login name +.ie n .IP "%p" 4 +.el .IP "\f(CW%p\fR" 4 +.IX Item "%p" +expanded to the user whose password is asked for (respects the presence of the +rootpw, targetpw or runaspw options in the configuration) + .ie n .IP "\*(C`%%\*(C'" 4 .el .IP "\f(CW\*(C`%%\*(C'\fR" 4 .IX Item "%%" @@ -1035,6 +1041,57 @@ Address to send warning and error mail to. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR. +.IP "exempt_group" 12 +.IX Item "exempt_group" +Users in this group are exempt from password and \s-1PATH\s0 requirements. +On Debian systems, this is set to the group 'sudo' by default. +.IP "syslog" 12 +.IX Item "syslog" +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR. +.IP "verifypw" 12 +.IX Item "verifypw" +This option controls when a password will be required when a user runs +\&\fBsudo\fR with the \fB\-v\fR flag. It has the following possible values: +.RS 12 +.IP "all" 8 +.IX Item "all" +All the user's \fIsudoers\fR entries for the current host must have +the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. +.IP "always" 8 +.IX Item "always" +The user must always enter a password to use the \fB\-l\fR flag. +.IP "any" 8 +.IX Item "any" +At least one of the user's \fIsudoers\fR entries for the current host +must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password. +.IP "never" 8 +.IX Item "never" +The user need never enter a password to use the \fB\-l\fR flag. +.RE +.RS 12 +.Sp +If no value is specified, a value of \fIany\fR is implied. +Negating the option results in a value of \fInever\fR being used. +The default value is \fIany\fR. +.RE +.IP "logfile" 12 +.IX Item "logfile" +Path to the \fBsudo\fR log file (not the syslog log file). Setting a path +turns on logging to a file; negating this option turns it off. +By default, \fBsudo\fR logs via syslog. +.IP "mailerflags" 12 +.IX Item "mailerflags" +Flags to use when invoking mailer. Defaults to \fB\-t\fR. +.IP "mailerpath" 12 +.IX Item "mailerpath" +Path to mail program used to send warning mail. +Defaults to the path to sendmail found at configure time. +.IP "mailto" 12 +.IX Item "mailto" +Address to send warning and error mail to. The address should +be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR +interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR. .IP "syslog" 12 .IX Item "syslog" Syslog facility if syslog is being used for logging (negate to --- sudo-1.6.9p17.orig/sudo.c +++ sudo-1.6.9p17/sudo.c @@ -122,6 +122,7 @@ static void usage_excl __P((int)) __attribute__((__noreturn__)); static void usage_excl __P((int)); +static void create_admin_success_flag __P((void)); static struct passwd *get_authpw __P((void)); extern int sudo_edit __P((int, char **, char **)); extern void list_matches __P((void)); @@ -131,6 +132,7 @@ extern struct passwd *sudo_getpwnam __P((const char *)); extern struct passwd *sudo_getpwuid __P((uid_t)); extern struct passwd *sudo_pwdup __P((const struct passwd *)); +extern void runas_resetgroups __P((void)); /* * Globals @@ -174,7 +176,7 @@ extern char **environ; #ifdef HAVE_SETLOCALE - setlocale(LC_ALL, ""); + setlocale(LC_ALL, "C"); #endif Argv = argv; @@ -365,6 +367,10 @@ } if (ISSET(validated, VALIDATE_OK)) { + /* If the user is in the admin group, create a dotfile to signal that + * sudo was executed successfully. */ + create_admin_success_flag(); + /* Finally tell the user if the command did not exist. */ if (cmnd_status == NOT_FOUND_DOT) { warnx("ignoring `%s' found in '.'\nUse `sudo ./%s' if this is the `%s' you wish to run.", user_cmnd, user_cmnd, user_cmnd); @@ -523,6 +529,7 @@ * "host" is the (possibly fully-qualified) hostname and * "shost" is the unqualified form of the hostname. */ + sudo_user.host_fqdn_queried = FALSE; nohostname = gethostname(thost, sizeof(thost)); if (nohostname) user_host = user_shost = "localhost"; @@ -532,13 +539,7 @@ /* Defer call to set_fqdn() until log_error() is safe. */ user_shost = user_host; } else { - if ((p = strchr(user_host, '.'))) { - *p = '\0'; - user_shost = estrdup(user_host); - *p = '.'; - } else { - user_shost = user_host; - } + user_shost = user_host; } } @@ -1217,6 +1218,7 @@ } else { user_shost = user_host; } + sudo_user.host_fqdn_queried = TRUE; } /* @@ -1244,6 +1246,7 @@ if (runas_pw == NULL) log_error(NO_MAIL|MSG_ONLY, "no passwd entry for %s!", user); } + runas_resetgroups(); return(TRUE); } @@ -1381,3 +1384,53 @@ } exit(exit_val); } + +static void create_admin_success_flag(void) +{ + struct group* admin; + char** g; + int is_admin; + char flagfile[PATH_MAX]; + int f; + + if (!sudo_user.pw || !sudo_user.pw->pw_name || !sudo_user.pw->pw_dir) + return; + + /* check whether the user is in the admin group */ + admin = getgrnam("admin"); + if (!admin || !admin->gr_mem) + return; + is_admin = 0; + for (g = admin->gr_mem; *g; ++g) { + if (!strcmp(*g, sudo_user.pw->pw_name)) { + is_admin = 1; + break; + } + } + if (!is_admin) + return; + + /* build path to flag file */ + snprintf(flagfile, sizeof(flagfile), "%s/.sudo_as_admin_successful", + sudo_user.pw->pw_dir); + if (strlen(flagfile) >= sizeof(flagfile)-1) + return; + + /* drop to user privileges to prevent issues with root_squash on NFS */ + set_perms(PERM_USER); + f = access(flagfile, F_OK); + set_perms(PERM_ROOT); + + /* do nothing if the file already exists */ + if (!f) + return; + + /* create file */ + set_perms(PERM_USER); + f = open(flagfile, O_CREAT|O_WRONLY|O_EXCL, 0644); + set_perms(PERM_ROOT); + if(f >= 0) { + fchown(f, sudo_user.pw->pw_uid, sudo_user.pw->pw_gid); + close(f); + } +} --- sudo-1.6.9p17.orig/find_path.c +++ sudo-1.6.9p17/find_path.c @@ -133,7 +133,10 @@ * Check current dir if dot was in the PATH */ if (!result && checkdot) { - result = sudo_goodpath(infile, sbp); + len = snprintf(command, sizeof(command), "./%s", infile); + if (len <= 0 || len >= sizeof(command)) + errx(1, "%s: File name too long", infile); + result = sudo_goodpath(command, sbp); if (result && def_ignore_dot) return(NOT_FOUND_DOT); } --- sudo-1.6.9p17.orig/sudo.man.in +++ sudo-1.6.9p17/sudo.man.in @@ -469,8 +469,8 @@ To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting current directory) last when searching for a command in the user's \&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the -actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed -unchanged to the program that \fBsudo\fR executes. +\&\f(CW\*(C`PATH\*(C'\fR environment variable is further modified in Debian because of +the use of the \fI\s-1SECURE_PATH\s0\fR build option. .PP \&\fBsudo\fR will check the ownership of its timestamp directory (\fI@timedir@\fR by default) and ignore the directory's contents if @@ -579,19 +579,19 @@ file system holding ~yazza is not exported as root: .PP .Vb 1 -\& $ sudo -u yazza ls ~yazza +\& $ sudo \-u yazza ls ~yazza .Ve .PP To edit the \fIindex.html\fR file as user www: .PP .Vb 1 -\& $ sudo -u www vi ~www/htdocs/index.html +\& $ sudo \-u www vi ~www/htdocs/index.html .Ve .PP To shutdown a machine: .PP .Vb 1 -\& $ sudo shutdown -r +15 "quick reboot" +\& $ sudo shutdown \-r +15 "quick reboot" .Ve .PP To make a usage listing of the directories in the /home @@ -599,13 +599,17 @@ to make the \f(CW\*(C`cd\*(C'\fR and file redirection work. .PP .Vb 1 -\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE" .Ve .SH "SEE ALSO" .IX Header "SEE ALSO" \&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2), @LCMAN@\&\fIlogin_cap\fR\|(3), \&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@) +.PP +The file /usr/share/doc/sudo/OPTIONS describes the options used for building +the Debian version of sudo, some of which change default behaviors documented +elsewhere in this document. .SH "AUTHORS" .IX Header "AUTHORS" Many people have worked on \fBsudo\fR over the years; this --- sudo-1.6.9p17.orig/visudo.man.in +++ sudo-1.6.9p17/visudo.man.in @@ -165,15 +165,19 @@ .PP There is a hard-coded list of editors that \fBvisudo\fR will use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR -\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to the path to \fIvi\fR\|(1) on -your system, as determined by the \fIconfigure\fR script. Normally, -\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment +\&\f(CW\*(C`Default\*(C'\fR variable. +On Debian systems, this list defaults to /usr/bin/editor, which is meant to +be a system-wide default editor chosen through the alternatives system. +Normally, \&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or +\f(CW\*(C`EDITOR\*(C'\fR environment variables unless they contain an editor in the aforementioned editors list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-enveditor\fR flag or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR, \&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. Note that this can be a security hole since it allows the user to execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR. +Despite this potential risk, sudo on Debian is compiled with the +\fI\-\-with\-enveditor\fR flag. .PP \&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will not save the changes if there is a syntax error. Upon finding --- sudo-1.6.9p17.orig/env.c +++ sudo-1.6.9p17/env.c @@ -120,6 +120,8 @@ static const char *initial_badenv_table[] = { "IFS", "CDPATH", + "SHELLOPTS", + "PS4", "LOCALDOMAIN", "RES_OPTIONS", "HOSTALIASES", @@ -209,6 +211,7 @@ "TZ", "XAUTHORITY", "XAUTHORIZATION", + "http_proxy", NULL }; @@ -273,6 +276,7 @@ { char **nep; size_t varlen; + int found = FALSE; /* Make sure there is room for the new entry plus a NULL. */ if (e->env_len + 2 > e->env_size) { @@ -281,20 +285,34 @@ } if (dupcheck) { - varlen = (strchr(str, '=') - str) + 1; + varlen = (strchr(str, '=') - str) + 1; - for (nep = e->envp; *nep; nep++) { + for (nep = e->envp; !found && *nep != NULL; nep++) { + if (strncmp(str, *nep, varlen) == 0) { + *nep = str; + found = TRUE; + } + } + /* Prune out duplicate variables. */ + if (found) { + while (*nep != NULL) { if (strncmp(str, *nep, varlen) == 0) { - *nep = str; - return; + memmove(nep, nep + 1, + (e->env_len - (nep - e->envp)) * sizeof(char *)); + e->env_len--; + } else { + nep++; } } - } else - nep = e->envp + e->env_len; + } + } - e->env_len++; - *nep++ = str; - *nep = NULL; + if (!found) { + nep = e->envp + e->env_len; + e->env_len++; + *nep++ = str; + *nep = NULL; + } } /* @@ -426,6 +444,17 @@ if (keepit == -1) keepit = matches_env_keep(*ep); + if (!strncmp (*ep, "DISPLAY=",8) + || !strncmp (*ep, "XAUTHORITY=", 11) + || !strncmp (*ep, "XAUTHORIZATION=", 15) + || !strncmp (*ep, "XAPPLRESDIR=", 12) + || !strncmp (*ep, "XFILESEARCHPATH=", 16) + || !strncmp (*ep, "XUSERFILESEARCHPATH=", 20) + || !strncmp (*ep, "LANG=", 5) + || !strncmp (*ep, "LANGUAGE=", 9) + || !strncmp (*ep, "LC_", 3)) + keepit = 1; + /* For SUDO_PS1 -> PS1 conversion. */ if (strncmp(*ep, "SUDO_PS1=", 8) == 0) ps1 = *ep + 5; --- sudo-1.6.9p17.orig/.gbp.conf +++ sudo-1.6.9p17/.gbp.conf @@ -0,0 +1,46 @@ +# Configuration file for git-buildpackage and friends + +[DEFAULT] +# the default build command: +#builder = debuild -i\.git/ -I.git +# the default clean command: +#cleaner = debuild clean +# the default branch for upstream sources: +upstream-branch = upstream +# the default branch for the debian patch: +debian-branch = master +# the default tag formats used: +#upstream-tag = upstream/%(version)s +#debian-tag = debian/%(version)s +# use pristine-tar: +pristine-tar = True + +# Options only affecting git-buildpackage +[git-buildpackage] +#upstream-branch = dfsgclean +# uncomment this to automatically GPG sign tags +#sign-tags = True +# keyid to GPG sign tags with +#keyid = 0xdeadbeef +# push to a remote repository after a successful tag: +#posttag = git-push git.example.com +# use this for more svn-buildpackage like behaviour: +export-dir = ../build-area/sudo/ +#tarball-dir = ../tarballs/ + +# Options only affecting git-import-orig +[git-import-orig] +#upstream-branch = newupstream +#debian-branch = dfsgclean +#filter = .svn + +# Options only affecting git-import-dsc +[git-import-dsc] +#upstream-branch = svn-upstream +#filter = [ 'CVS', '.cvsignore' ] + +# Options only affecting git-dch +[git-dch] +#git-log = --no-merges +#snapshot-number = snapshot + 1 + --- sudo-1.6.9p17.orig/sudoers +++ sudo-1.6.9p17/sudoers @@ -7,6 +7,8 @@ # See the sudoers man page for the details on how to write a sudoers file. # +# Defaults syslog=auth, secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin" + # Host alias specification # User alias specification --- sudo-1.6.9p17.orig/Makefile.in +++ sudo-1.6.9p17/Makefile.in @@ -194,9 +194,9 @@ @DEV@PARSESRCS = sudo.tab.h sudo.tab.c lex.yy.c def_data.c def_data.h # Uncomment the following if you intend to modify parse.yacc -@DEV@sudo.tab.c sudo.tab.h: parse.yacc -@DEV@ rm -f sudo.tab.h sudo.tab.c -@DEV@ $(YACC) -d -b sudo $(srcdir)/parse.yacc +sudo.tab.c sudo.tab.h: parse.yacc + rm -f sudo.tab.h sudo.tab.c + $(YACC) -d -b sudo $(srcdir)/parse.yacc # Uncomment the following if you intend to modify parse.lex @DEV@lex.yy.c: parse.lex @@ -327,7 +327,7 @@ $(INSTALL) -O $(sudoers_uid) -G $(sudoers_gid) -M $(sudoers_mode) \ $(srcdir)/sudoers $(DESTDIR)$(sudoersdir)/sudoers -install-man: +install-man: sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0444 @mansrcdir@/sudo.$(mantype) $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) @rm -f $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) ln $(DESTDIR)$(mandirsu)/sudo.$(mansectsu) $(DESTDIR)$(mandirsu)/sudoedit.$(mansectsu) @@ -394,8 +394,6 @@ fi ; \ cp $(srcdir)/INSTALL.binary $$tdir/INSTALL ; \ sh ./config.status --file=Makefile.binary && cp Makefile.binary $$tdir/Makefile ; \ - strip sudo ; \ - strip visudo ; \ cd tmp.$$ARCH && tar Ocf ../sudo-$(VERSION)-$$ARCH.tar sudo-$(VERSION) && cd .. ; \ gzip --best sudo-$(VERSION)-$$ARCH.tar ; \ rm -rf tmp.$$ARCH ; \ --- sudo-1.6.9p17.orig/set_perms.c +++ sudo-1.6.9p17/set_perms.c @@ -376,11 +376,12 @@ #endif /* HAVE_SETRESUID */ #ifdef HAVE_INITGROUPS +static int runas_ngroups = -1; +static GETGROUPS_T *runas_groups; + static void runas_setgroups() { - static int ngroups = -1; - static GETGROUPS_T *groups; struct passwd *pw; if (def_preserve_groups) @@ -389,21 +390,28 @@ /* * Use stashed copy of runas groups if available, else initgroups and stash. */ - if (ngroups == -1) { + if (runas_ngroups == -1) { pw = runas_pw ? runas_pw : sudo_user.pw; if (initgroups(pw->pw_name, pw->pw_gid) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); - if ((ngroups = getgroups(0, NULL)) < 0) + if ((runas_ngroups = getgroups(0, NULL)) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't get runas ngroups"); - groups = emalloc2(ngroups, sizeof(GETGROUPS_T)); - if (getgroups(ngroups, groups) < 0) + runas_groups = emalloc2(runas_ngroups, sizeof(GETGROUPS_T)); + if (getgroups(runas_ngroups, runas_groups) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't get runas group vector"); } else { - if (setgroups(ngroups, groups) < 0) + if (setgroups(runas_ngroups, runas_groups) < 0) log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector"); } } +void +runas_resetgroups() +{ + runas_ngroups = -1; + efree(runas_groups); +} + static void restore_groups() { --- sudo-1.6.9p17.orig/sample.sudoers +++ sudo-1.6.9p17/sample.sudoers @@ -35,8 +35,8 @@ # Cmnd alias specification ## Cmnd_Alias DUMPS = /usr/sbin/dump, /usr/sbin/rdump, /usr/sbin/restore, \ - /usr/sbin/rrestore, /usr/bin/mt -Cmnd_Alias KILL = /usr/bin/kill + /usr/sbin/rrestore, /bin/mt +Cmnd_Alias KILL = /bin/kill Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown Cmnd_Alias HALT = /usr/sbin/halt @@ -82,7 +82,7 @@ sudoedit /etc/printcap, /usr/oper/bin/ # joe may su only to operator -joe ALL = /usr/bin/su operator +joe ALL = /bin/su operator # pete may change passwords for anyone but root on the hp snakes pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root @@ -96,13 +96,13 @@ # users in the secretaries netgroup need to help manage the printers # as well as add and remove users -+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser ++secretaries ALL = PRINTING, /usr/sbin/adduser, /usr/bin/rmuser # fred can run commands as oracle or sybase without a password fred ALL = (DB) NOPASSWD: ALL # on the alphas, john may su to anyone but root and flags are not allowed -john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* +john ALPHA = /bin/su [!-]*, !/bin/su *root* # jen can run anything on all machines except the ones # in the "SERVERS" Host_Alias --- sudo-1.6.9p17.orig/parse.yacc +++ sudo-1.6.9p17/parse.yacc @@ -441,6 +441,7 @@ efree($1); } | NETGROUP { + set_fqdn(); if (netgr_matches($1, user_host, user_shost, NULL)) $$ = TRUE; else @@ -448,6 +449,7 @@ efree($1); } | WORD { + set_fqdn(); if (hostname_matches(user_shost, user_host, $1) == 0) $$ = TRUE; else @@ -457,6 +459,7 @@ | ALIAS { aliasinfo *aip = find_alias($1, HOST_ALIAS); + set_fqdn(); /* could be an all-caps hostname */ if (aip) $$ = aip->val; --- sudo-1.6.9p17.orig/sudo.h +++ sudo-1.6.9p17/sudo.h @@ -43,6 +43,7 @@ char cwd[PATH_MAX]; char *host; char *shost; + int host_fqdn_queried; char **runas; char *prompt; char *cmnd; --- sudo-1.6.9p17.orig/parse.c +++ sudo-1.6.9p17/parse.c @@ -259,7 +259,7 @@ DIR *dirp; /* Check for pseudo-commands */ - if (strchr(user_cmnd, '/') == NULL) { + if (sudoers_cmnd[0] != '/') { /* * Return true if both sudoers_cmnd and user_cmnd are "sudoedit" AND * a) there are no args in sudoers OR @@ -621,9 +621,11 @@ /* * If the user has a supplementary group vector, check it first. */ - for (i = 0; i < user_ngroups; i++) { - if (grp->gr_gid == user_groups[i]) - return(TRUE); + if (strcmp(user, user_name) == 0) { + for (i = 0; i < user_ngroups; i++) { + if (grp->gr_gid == user_groups[i]) + return(TRUE); + } } if (grp->gr_mem != NULL) { for (cur = grp->gr_mem; *cur; cur++) { --- sudo-1.6.9p17.orig/configure +++ sudo-1.6.9p17/configure @@ -1444,7 +1444,7 @@ --bindir=DIR user executables [EPREFIX/bin] --sbindir=DIR system admin executables [EPREFIX/sbin] --libexecdir=DIR program executables [EPREFIX/libexec] - --sysconfdir=DIR read-only single-machine data [etc] + --sysconfdir=DIR read-only single-machine data [PREFIX/etc] --sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com] --localstatedir=DIR modifiable single-machine data [PREFIX/var] --libdir=DIR object code libraries [EPREFIX/lib] --- sudo-1.6.9p17.orig/ins_classic.h +++ sudo-1.6.9p17/ins_classic.h @@ -32,7 +32,7 @@ "Where did you learn to type?", "Are you on drugs?", "My pet ferret can type better than you!", - "You type like i drive.", + "You type like I drive.", "Do you think like you type?", "Your mind just hasn't been the same since the electro-shock, has it?", --- sudo-1.6.9p17.orig/debian/sudo-ldap.lintian +++ sudo-1.6.9p17/debian/sudo-ldap.lintian @@ -0,0 +1,2 @@ +sudo-ldap: setuid-binary usr/bin/sudo 4755 root/root +sudo-ldap: setuid-binary usr/bin/sudoedit 4755 root/root --- sudo-1.6.9p17.orig/debian/README.Debian +++ sudo-1.6.9p17/debian/README.Debian @@ -0,0 +1,42 @@ +The version of sudo that ships with Debian by default resets the +environment, as described by the "env_reset" flag in the sudoers file. + +This implies that all environment variables are removed, except for +HOME, LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, +XAPPLRESDIR, XFILESEARCHPATH, XUSERFILESEARCHPATH, LANG, LANGUAGE, LC_*, +and USER. + +In case you want sudo to preserve more environment variables, you must +specify the env_keep variable in the sudoers file. You should edit the +sudoers file using the visudo tool. + +Examples: +Preserve the default variables plus the EDITOR variable: + + Defaults env_keep+="EDITOR" + +Preserve the default variables plus all variables starting with LC_: + + Defaults env_keep+="LC_*" + + - - - - - + +If you're using the sudo-ldap package, note that it is now configured to +look for /etc/sudo-ldap.conf. Depending on your system configuration, it +probably makes sense for this to be a symlink to /etc/ldap.conf, or perhaps +to /etc/libnss-ldap.conf or /etc/pam_ldap.conf. By default, no symlink or +file is provided, you'll need to decide what to do and create a suitable +file before sudo-ldap will work. + + - - - - - + +See the file OPTIONS in this directory for more information on the sudo +build options used in building the Debian package. + + - - - - - + +If you're having trouble grasping the fundamental idea of what sudo is all +about, here's a succinct and humorous take on it... + + http://www.xkcd.com/c149.html + --- sudo-1.6.9p17.orig/debian/changelog +++ sudo-1.6.9p17/debian/changelog @@ -0,0 +1,870 @@ +sudo (1.6.9p17-1ubuntu3.3) jaunty-security; urgency=low + + * SECURITY UPDATE: properly handle multiple PATH variables when using + secure_path in env.c + - http://www.sudo.ws/repos/sudo/raw-rev/3057fde43cf0 + - CVE-2010-1646 + + -- Jamie Strandboge Fri, 18 Jun 2010 13:59:38 -0500 + +sudo (1.6.9p17-1ubuntu3.2) jaunty-security; urgency=low + + * SECURITY UPDATE: properly verify path in find_path.c for the 'sudoedit' + pseudo-command when running from the current working directory and + secure_path is disabled + - CVE-2010-1163 + + -- Jamie Strandboge Wed, 07 Apr 2010 15:38:30 -0500 + +sudo (1.6.9p17-1ubuntu3.1) jaunty-security; urgency=low + + * SECURITY UPDATE: properly verify path for the 'sudoedit' pseudo-command + in parse.c + - http://sudo.ws/repos/sudo/rev/f86e1b56d074 + - CVE-2010-0426 + * SECURITY UPDATE: reset cached supplementary runas groups when changing + the runas user in set_perms.c and sudo.c + - http://sudo.ws/repos/sudo/rev/aa0b6c01c462 + - CVE-2010-0427 + + -- Jamie Strandboge Wed, 24 Feb 2010 17:02:33 -0600 + +sudo (1.6.9p17-1ubuntu3) jaunty; urgency=low + + * SECURITY UPDATE: privilege escalation via non-default system groups. + - parse.c: upstream fix for CVE-2009-0034: + http://www.sudo.ws/cgi-bin/cvsweb/sudo/parse.c?r1=1.160.2.21&r2=1.160.2.22 + + -- Kees Cook Mon, 16 Feb 2009 12:13:47 -0800 + +sudo (1.6.9p17-1ubuntu2) intrepid; urgency=low + + * sudo.c: Drop usage of locale again, to revert back to the 1.6.8 behaviour. + fnmatch() and glob() behave differently under different locales and thus + cause undefined behaviour with (admittedly underspecified) character range + globs such as "[a-Z]". Patch taken from upstream CVS, see + http://www.gratisoft.us/bugzilla/show_bug.cgi?id=296 (LP: #228046) + + -- Martin Pitt Mon, 01 Sep 2008 15:05:52 +0200 + +sudo (1.6.9p17-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu + specific) + - Add debian/sudo_root.8: Explanation of root handling through sudo. + Install it in debian/rules. (Ubuntu specific) + - sudo.c: If the user successfully authenticated and he is in the 'admin' + group, then create a stamp ~/.sudo_as_admin_successful. Our default bash + profile checks for this and displays a short intro about sudo if the + flag is not present. (Ubuntu specific) + - env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept + for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at + some point) + * debian/{rules,postinst,sudo-ldap.postinst}: Disable init script + installation. Debian reintroduced it because /var/run tmpfs is not the + default there, but has been on Ubuntu for ages. + + -- Martin Pitt Wed, 06 Aug 2008 10:41:58 +0200 + +sudo (1.6.9p17-1) unstable; urgency=low + + * new upstream version, closes: #481008 + * deliver schemas to doc directory in sudo-ldap package, closes: #474331 + * re-apply patch from Petter Reinholdtsen to improve init.d apparently lost + in move from CVS to git for package management, closes: #475821 + * re-instate the init.d for the sudo-ldap package too... /o\ + + -- Bdale Garbee Sun, 06 Jul 2008 01:16:31 -0600 + +sudo (1.6.9p15-2ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - logging.c: Ignore SIGPIPE when creating an error email, so that non-fatal + error messages (like "unable to resolve local host name") do not lead to + being killed with SIGPIPE if /usr/bin/sendmail does not exist or crashes. + (LP #32906, http://www.gratisoft.us/bugzilla/show_bug.cgi?id=285) + - debian/postinst: put "NOPASSWD" example at the bottom, so that + uncommenting it will actually work (later entries override former ones). + (LP #131399, Debian #479616) + - debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu + specific) + - Add debian/sudo_root.8: Explanation of root handling through sudo. + Install it in debian/rules. (Ubuntu specific) + - sudo.c: If the user successfully authenticated and he is in the 'admin' + group, then create a stamp ~/.sudo_as_admin_successful. Our default bash + profile checks for this and displays a short intro about sudo if the + flag is not present. (Ubuntu specific) + - env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept + for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at + some point) + * debian/{rules,postinst}: Disable init script installation. Debian + reintroduced it because /var/run tmpfs is not the default there, but has + been on Ubuntu for ages. + + -- Martin Pitt Wed, 18 Jun 2008 11:41:27 +0200 + +sudo (1.6.9p15-2) unstable; urgency=low + + * revert the fix for 388659 such that visudo once again defaults to using + /usr/bin/editor. I was always ambivalent about this change, it has caused + more confusion and frustration than it cured, and I find Justin's line of + reasoning persuasive. Update the man page source to reflect this choice + and the related use of --with-env-editor. Closes: #474197. + * patch from Petter Reinholdtsen to improve init.d, closes: #475821 + + -- Bdale Garbee Wed, 16 Apr 2008 00:38:56 -0600 + +sudo (1.6.9p15-1) unstable; urgency=low + + * new upstream version, closes: #467126, #473337 + * remove pointless postrm scripts, leaving debhelper do its thing if needed, + thanks to Justin Pryzby for pointing this out + * reinstate the init.d, since bootclean doesn't quite do what we want. This + also means we don't need the preinst scripts any more. Update the lintian + overrides since postinst is a Perl script lintian apparently isn't parsing + well. closes: #330868 + + -- Bdale Garbee Thu, 03 Apr 2008 14:25:56 -0600 + +sudo (1.6.9p12-1ubuntu2) intrepid; urgency=low + + * debian/postinst: Fix a typo, and add a more helpful comment about the + ordering and overriding. (LP: #131399) + + -- Martin Pitt Wed, 14 May 2008 15:46:24 +0200 + +sudo (1.6.9p12-1ubuntu1) intrepid; urgency=low + + * Merge from debian unstable, remaining changes: + - debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu + specific) + - Add debian/sudo_root.8: Explanation of root handling through sudo. + Install it in debian/rules. (Ubuntu specific) + - sudo.c: If the user successfully authenticated and he is in the 'admin' + group, then create a stamp ~/.sudo_as_admin_successful. Our default bash + profile checks for this and displays a short intro about sudo if the + flag is not present. (Ubuntu specific) + - env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept + for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at + some point) + * logging.c: Ignore SIGPIPE when creating an error email, so that non-fatal + error messages (like "unable to resolve local host name") do not lead to + being killed with SIGPIPE if /usr/bin/sendmail does not exist or crashes. + Forwarded upstream to http://www.gratisoft.us/bugzilla/show_bug.cgi?id=285 + (LP: #32906) + * env.c: Do not clobber $HOME when not specifying -H or -s. Patch taken from + upstream CVS. (LP: #221395) + * debian/postinst: put "NOPASSWD" example at the bottom, so that + uncommenting it will actually work (later entries override former ones). + (LP: #131399) + + -- Martin Pitt Mon, 05 May 2008 20:31:58 +0200 + +sudo (1.6.9p12-1) unstable; urgency=low + + * new upstream version, closes: #464890 + + -- Bdale Garbee Tue, 19 Feb 2008 11:19:54 +0900 + +sudo (1.6.9p11-3) unstable; urgency=low + + * patch for configure to fix FTBFS on GNU/kFreeBSD, closes: #465956 + + -- Bdale Garbee Fri, 15 Feb 2008 10:54:21 -0700 + +sudo (1.6.9p11-2) unstable; urgency=low + + * update version compared in preinst when removing obsolete init.d, + closes: #459681 + * implement pam session config suggestions from Elizabeth Fong, + closes: #452457, #402329 + + -- Bdale Garbee Mon, 04 Feb 2008 21:26:23 -0700 + +sudo (1.6.9p11-1) unstable; urgency=low + + * new upstream version + + -- Bdale Garbee Fri, 11 Jan 2008 01:54:35 -0700 + +sudo (1.6.9p10-1) unstable; urgency=low + + * new upstream version + * tweak default password prompt as %u doesn't make sense. Accept patch from + Patrick Schoenfeld (recommend upstream accept it too) that adds a %p and + uses it by default, closes: #454409 + * accept patch from Martin Pitt that adds a prerm making it difficult to + "accidentally" remove sudo when there is no root password set on the + system, closes: #451241 + + -- Bdale Garbee Fri, 28 Dec 2007 11:44:30 -0700 + +sudo (1.6.9p9-1) unstable; urgency=low + + * new upstream version + * debian/rules: configure a more informative default password prompt to + reduce confusion when using sudo to invoke commands which also ask for + passwords, closes: #343268 + * auth/pam.c: don't use the PAM prompt if the user explicitly requested + a custom prompt, closes: #448628. + * fix configure's ability to discover that libc has dirfd, closes: #451324 + * make default editor be /usr/bin/vi instead of /usr/bin/editor, so that + the command 'visudo' invokes a vi variant by default as documented, + closes: #388659 + + -- Bdale Garbee Mon, 03 Dec 2007 10:26:51 -0700 + +sudo (1.6.9p6-1) unstable; urgency=low + + * new upstream version, closes: #442815, #446146, #438699, #435768, #435314 + closes: #434832, #434608, #430382 + * eliminate the now-redundant init.d scripts, closes: #397090 + * fix typo in TROUBLESHOOTING file, closes: #439624 + + -- Bdale Garbee Wed, 24 Oct 2007 21:13:41 -0600 + +sudo (1.6.8p12-6) unstable; urgency=low + + * fix typos in visudo.pod relating to env_editor variable, closes: #418886 + * have init.d touch directories in /var/run/sudo, not just files, as a + followup to #330868. + * fix various typos in sudoers.pod, closes: #419749 + * don't let Makefile strip binaries, closes: #438073 + + -- Bdale Garbee Wed, 05 Sep 2007 11:26:58 +0100 + +sudo (1.6.8p12-5) unstable; urgency=low + + * update debian/copyright to reflect new upstream URL, closes: #368746 + * add sandwich cartoon URL to the README.Debian + * don't remove sudoers on purge. can cause problems when moving between + sudo and sudo-ldap. leaving sudoers around on purge seems like the least + evil choice for now, closes: #401366 + * also preserve XAPPLRESDIR, XFILESEARCHPATH, and XUSERFILESEARCHPATH, + closes: #374509 + * accept patch that improves debian/rules from Ted Percival, closes: #382122 + * no longer build with --with-exempt=sudo, provide an example entry in the + default sudoers file instead, closes: #296605 + * add --with-devel to configure and augment build dependencies so that flex + and yacc files get re-generated on every build, closes: #316249 + + -- Bdale Garbee Tue, 3 Apr 2007 21:48:45 -0600 + +sudo (1.6.8p12-4) unstable; urgency=low + + * patch from Petter Reinholdtsen for the LSB info block in the init.d + script, closes: #361055 + * deliver sudoers sample again, closes: #361593 + + -- Bdale Garbee Sat, 15 Apr 2006 01:38:04 -0600 + +sudo (1.6.8p12-3) unstable; urgency=low + + * force-feed configure knowledge of nroff's path so we get unformatted man + pages installed without build-depending on groff-base, closes: #360894 + * add a reference to OPTIONS in the man page, closes: #186226 + + -- Bdale Garbee Wed, 5 Apr 2006 17:53:13 -0700 + +sudo (1.6.8p12-2) unstable; urgency=low + + * fix typos in init scripts, closes: #346325 + * update to debhelper compat level 5 + * build depend on autotools-dev to ensure config.sub/guess are fresh + * accept patch from Martin Schulze developed for 1.6.8p7-1.4 in stable, and + use it here as well. Thanks to Martin and the debian-security team. + closes: #349196, #349549, #349587, #349729, #349129, #350776, #349085 + closes: #315115, #315718, #203874 + * Non-maintainer upload by the Security Team + * Reworked the former patch to limit environment variables from being + passed through, set env_reset as default instead [sudo.c, env.c, + sudoers.pod, Bug#342948, CVE-2005-4158] + * env_reset is now set by default + * env_reset will preserve only HOME, LOGNAME, PATH, SHELL, TERM, + DISPLAY, XAUTHORITY, XAUTHORIZATION, LANG, LANGUAGE, LC_*, and USER + (in addition to the SUDO_* variables) + * Rebuild sudoers.man.in from the POD file + * Added README.Debian + * patch from Alexander Zangerl to fix duplicated PATH issue, closes: #354431 + * simplify rules file by using more of Makefile, despite having to override + default directories with more arguments to configure, closes: #292833 + * update sudo man page to reflect use of SECURE_PATH, closes: #228551 + * inconsistencies in sudoers man page resolved, closes: #220808, #161012 + * patch from Jeroen van Wolffelaar to improve behavior when FQDNs are + unresolveable (requires adding bison as build dep), closes: #314949 + + -- Bdale Garbee Sun, 2 Apr 2006 14:26:20 -0700 + +sudo (1.6.8p12-1) unstable; urgency=low + + * new upstream version, closes: #342948 (CVE-2005-4158) + * add env_reset to the sudoers file we create if none already exists, + as a further precaution in response to discussion about CVS-2005-4158 + * split ldap support into a new sudo-ldap package. I was trying to avoid + doing this, but the impact of going from 4 to 17 linked shlibs on the + autobuilder chroots is sufficient motivation for me. + closes: #344034 + + -- Bdale Garbee Wed, 28 Dec 2005 13:49:10 -0700 + +sudo (1.6.8p9-4) unstable; urgency=low + + * enable ldap support, deliver README.LDAP and sudoers2ldif, closes: #283231 + * merge patch from Martin Pitt / Ubuntu to be more robust about resetting + timestamps in the init.d script, closes: #330868 + * add dependency header to init.d script, closes: #332849 + + -- Bdale Garbee Sat, 10 Dec 2005 07:47:07 -0800 + +sudo (1.6.8p9-3) unstable; urgency=high + + * update debhelper compatibility level from 2 to 4 + * add man page symlink for sudoedit + * Clean SHELLOPTS and PS4 from the environment before executing programs + with sudo permissions [env.c, CAN-2005-2959] + * fix typo in manpage pointed out by Moray Allen, closes: #285995 + * fix paths in sample complex sudoers file, closes: #303542 + * fix type in sudoers man page, closes: #311244 + + -- Bdale Garbee Wed, 28 Sep 2005 01:18:04 -0600 + +sudo (1.6.8p9-2) unstable; urgency=high + + * merge the NMU fix for sudoedit symlink problem that was in 1.6.8p7-1.1, + closes: #305735 + + -- Bdale Garbee Tue, 28 Jun 2005 16:18:47 -0400 + +sudo (1.6.8p9-1) unstable; urgency=high + + * new upstream version, fixes a race condition in sudo's pathname + validation, which is a security issue (CAN-2005-1993), + closes: #315115, #315718 + + -- Bdale Garbee Tue, 28 Jun 2005 15:33:11 -0400 + +sudo (1.6.8p7-1) unstable; urgency=low + + * new upstream version, closes: #299585 + * update lintian overrides to squelch the postinst warning + * change sudoedit from a hard to a soft link, closes: #296896 + * fix regex doc in sudoers man page, closes: #300361 + + -- Bdale Garbee Sat, 26 Mar 2005 22:18:34 -0700 + +sudo (1.6.8p5-1) unstable; urgency=high + + * new upstream version + * restores ability to use config tuples without a value, which was causing + problems on upgrade closes: #283306 + * deliver sudoedit, closes: #283078 + * marking urgency high since 283306 is a serious upgrade incompatibility + + -- Bdale Garbee Fri, 3 Dec 2004 10:11:16 -0700 + +sudo (1.6.8p3-2) unstable; urgency=high + + * update pam.d deliverable so ldap works again, closes: #282191 + + -- Bdale Garbee Mon, 22 Nov 2004 11:44:46 -0700 + +sudo (1.6.8p3-1) unstable; urgency=high + + * new upstream version, fixes a flaw in sudo's environment sanitizing that + could allow a malicious user with permission to run a shell script that + utilized the bash shell to run arbitrary commands, closes: #281665 + * patch the sample sudoers to have the proper path for kill on Debian + systems, closes: #263486 + * patch the sudo manpage to reflect Debian's choice of exempt_group + default setting, closes: #236465 + * patch the sudo manpage to reflect Debian's choice of no timeout on the + password prompt, closes: #271194 + + -- Bdale Garbee Tue, 16 Nov 2004 23:23:41 -0700 + +sudo (1.6.7p5-2) unstable; urgency=low + + * Jeff Bailey reports that seteuid works on current sparc systems, so we + no longer need the "grosshack" stuff in the sudo rules file + * add a postrm that removes /etc/sudoers on purge. don't do this with the + normal conffile mechanism since it would generate noise on every upgrade, + closes: #245405 + + -- Bdale Garbee Tue, 20 Jul 2004 12:29:48 -0400 + +sudo (1.6.7p5-1) unstable; urgency=low + + * new upstream version, closes: #190265, #193222, #197244 + * change from '.' to ':' in postinst chown call, closes: #208369 + + -- Bdale Garbee Tue, 2 Sep 2003 21:27:06 -0600 + +sudo (1.6.7p3-2) unstable; urgency=low + + * add --disable-setresuid to configure call since 2.2 kernels don't support + setresgid, closes: #189044 + * cosmetic cleanups to debian/rules as long as I'm there + + -- Bdale Garbee Tue, 15 Apr 2003 16:04:48 -0600 + +sudo (1.6.7p3-1) unstable; urgency=low + + * new upstream version + * add overrides to quiet lintian about things it doesn't understand, + except the source one that can't be overridden until 129510 is fixed + + -- Bdale Garbee Mon, 7 Apr 2003 17:34:05 -0600 + +sudo (1.6.6-3) unstable; urgency=low + + * add code to rules file to update config.sub/guess, closes: #164501 + + -- Bdale Garbee Sat, 12 Oct 2002 15:35:22 -0600 + +sudo (1.6.6-2) unstable; urgency=low + + * adopt suggestion from Marcus Brinkmann to feed --with-sendmail option to + configure, and lose the build dependency on mail-transport-agent + * incorporate changes from LaMont's NMU, closes: #144665, #144737 + * update init.d to not try and set time on nonexistent timestamp files, + closes: #132616 + * build with --with-all-insults, admin must edit sudoers to turn insults + on at runtime if desired, closes: #135374 + * stop setting /usr/doc symlink in postinst + + -- Bdale Garbee Sat, 12 Oct 2002 01:54:24 -0600 + +sudo (1.6.6-1.1) unstable; urgency=high + + * NMU - patch from Colin Watson , in bts. + * Revert patch to auth/pam.c that left pass uninitialized, causing a + segfault (Closes: #144665). + + -- LaMont Jones Fri, 26 Apr 2002 22:36:04 -0600 + +sudo (1.6.6-1) unstable; urgency=high + + * new upstream version, fixes security problem with crafty prompts, + closes: #144540 + + -- Bdale Garbee Thu, 25 Apr 2002 12:45:49 -0600 + +sudo (1.6.5p1-4) unstable; urgency=high + + * apply patch for auth/pam.c to fix yet another way to make sudo segfault + if ctrl/C'ed at password prompt, closes: #131235 + + -- Bdale Garbee Sun, 3 Mar 2002 23:18:56 -0700 + +sudo (1.6.5p1-3) unstable; urgency=high + + * ugly hack to add --disable-saved-ids when building on sparc in response + to 131592, which will be reassigned to glibc for a real fix + * urgency high since the sudo currently in testing for sparc is worthless + + -- Bdale Garbee Sun, 17 Feb 2002 22:42:10 -0700 + +sudo (1.6.5p1-2) unstable; urgency=high + + * patch from upstream to fix seg faults caused by versions of pam that + follow a NULL pointer, closes: #129512 + + -- Bdale Garbee Tue, 22 Jan 2002 01:50:13 -0700 + +sudo (1.6.5p1-1) unstable; urgency=high + + * new upstream version + * add --disable-root-mailer option supported by new version to configure + call in rules file, closes: #129648 + + -- Bdale Garbee Fri, 18 Jan 2002 11:29:37 -0700 + +sudo (1.6.4p1-1) unstable; urgency=high + + * new upstream version, with fix for segfaulting problem in 1.6.4 + + -- Bdale Garbee Mon, 14 Jan 2002 20:09:46 -0700 + +sudo (1.6.4-1) unstable; urgency=high + + * new upstream version, includes an important security fix, closes: #127576 + + -- Bdale Garbee Mon, 14 Jan 2002 09:35:48 -0700 + +sudo (1.6.3p7-5) unstable; urgency=low + + * only touch /var/run/sudo/* if /var/run/sudo is there, closes: #126872 + * fix spelling error in init.d, closes: #126847 + + -- Bdale Garbee Sat, 29 Dec 2001 11:21:43 -0700 + +sudo (1.6.3p7-4) unstable; urgency=medium + + * use touch to set status files to an ancient date instead of removing them + outright on reboot. this achieves the desired effect of keeping elevated + privs from living across reboots, without forcing everyone to see the + new-sudo-user lecture after every reboot. pick a time that's 'old enough' + for systems with good clocks, and 'recent enough' that broken PC hardware + setting the clock to commonly-seen bogus dates trips over the "don't trust + future timestamps" rule. closes: #76529, #123559 + * apply patch from Steve Langasek to fix seg faults due to interaction with + PAM code. upstream confirms the problem, and says they're fixing this + differently for their next release... but this should be useful in the + meantime, and would be good to get into woody. closes: #119147 + * only run the init.d at boot, not on each runlevel change... and don't run + it during package configure. closes: #125935 + * add DEB_BUILD_OPTIONS support to rules file, closes: #94952 + + -- Bdale Garbee Wed, 26 Dec 2001 12:40:44 -0700 + +sudo (1.6.3p7-3) unstable; urgency=low + + * apply patch from Fumitoshi UKAI that fixes segfaults when hostname not + resolvable, closes: #86062, #69430, #77852, #82744, #55716, #56718, + * fix a typo in the manpage, closes: #97368 + * apply patch to configure.in and run autoconf to fix problem building on + the hurd, closes: #96325 + * add an init.d to clean out /var/run/sudo at boot, so privs are guaranteed + to not last across reboots, closes: #76529 + * clean up lintian-noticed cosmetic packaging issues + + -- Bdale Garbee Sat, 1 Dec 2001 02:59:52 -0700 + +sudo (1.6.3p7-2) unstable; urgency=low + + * update config.sub/guess for hppa support + + -- Bdale Garbee Sun, 22 Apr 2001 23:23:42 -0600 + +sudo (1.6.3p7-1) unstable; urgency=low + + * new upstream version + * add build dependency on mail-transport-agent, closes: #90685 + + -- Bdale Garbee Thu, 12 Apr 2001 17:02:42 -0600 + +sudo (1.6.3p6-1) unstable; urgency=high + + * new upstream version, fixes buffer overflow problem, + closes: #87259, #87278, #87263 + * revert to using --with-secure-path option at build time, since the option + available in sudoers is parsed too late to be useful, and upstream says + it won't get fixed quickly. This reopens 85123, which I will mark as + forwarded. Closes: #86199, #86117, #85676 + + -- Bdale Garbee Mon, 26 Feb 2001 11:02:51 -0700 + +sudo (1.6.3p5-2) unstable; urgency=low + + * lose the dh_suidregister call since it's obsolete + * stop using the --with-secure-path option at build time, and instead show + how to set it in sudoers. Closes: #85123 + * freshen config.sub and config.guess for ia64 and hppa + * update sudoers man page to indicate exempt_group is on by default, + closes: #70847 + + -- Bdale Garbee Sat, 10 Feb 2001 02:05:17 -0700 + +sudo (1.6.3p5-1) unstable; urgency=low + + * new upstream version, closes: #63940, #59175, #61817, #64652, #65743 + * this version restores core dumps before the exec, while leaving them + disabled during sudo's internal execution, closes: #58289 + * update debhelper calls in rules file + + -- Bdale Garbee Wed, 16 Aug 2000 00:13:15 -0600 + +sudo (1.6.2p2-1) frozen unstable; urgency=medium + + * new upstream source resulting from direct collaboration with the upstream + author to fix ugly pam-related problems on Debian in 1.6.1 and later. + Closes: #56129, #55978, #55979, #56550, #56772 + * include more upstream documentation, closes: #55054 + * pam.d fragment update, closes: #56129 + + -- Bdale Garbee Sun, 27 Feb 2000 11:48:48 -0700 + +sudo (1.6.1-1) unstable; urgency=low + + * new upstream source, closes: #52750 + + -- Bdale Garbee Fri, 7 Jan 2000 21:01:42 -0700 + +sudo (1.6-2) unstable; urgency=low + + * drop suidregister support for this package. The sudo executable is + essentially worthless unless it is setuid root, and making suidregister + work involves shipping a non-setuid executable in the .deb and setting the + perms in the postinst. On a long upgrade run, this can leave the sudo + executable 'broken' for a long time, which is unacceptable. With this + version, we ship the executable setuid root in the .deb. Closes: #51742 + + -- Bdale Garbee Wed, 1 Dec 1999 19:59:44 -0700 + +sudo (1.6-1) unstable; urgency=low + + * new upstream version, many options previously set at compile-time are now + configurable at runtime. + Closes: #39255, #20996, #29812, #50705, #49148, #48435, #47190, #45639 + * FHS support + + -- Bdale Garbee Tue, 23 Nov 1999 16:51:22 -0700 + +sudo (1.5.9p4-1) unstable; urgency=low + + * new upstream version, closes: #43464 + * empty password handling was fixed in 1.5.8, closes: #31863 + + -- Bdale Garbee Thu, 26 Aug 1999 00:00:57 -0600 + +sudo (1.5.9p1-1) unstable; urgency=low + + * new upstream version + + -- Bdale Garbee Thu, 15 Apr 1999 22:43:29 -0600 + +sudo (1.5.8p1-1) unstable; urgency=medium + + * new upstream version, closes 33690 + * add dependency on libpam-modules, closes 34215, 33432 + + -- Bdale Garbee Mon, 8 Mar 1999 10:27:42 -0700 + +sudo (1.5.7p4-2) unstable; urgency=medium + + * update the pam fragment provided so that sudo works with latest pam bits, + closes 33432 + + -- Bdale Garbee Sun, 21 Feb 1999 00:22:44 -0700 + +sudo (1.5.7p4-1) unstable; urgency=low + + * new upstream release + + -- Bdale Garbee Sun, 27 Dec 1998 16:13:53 -0700 + +sudo (1.5.6p5-1) unstable; urgency=low + + * new upstream patch release + * add PAM support, closes 28594 + + -- Bdale Garbee Mon, 2 Nov 1998 00:00:24 -0700 + +sudo (1.5.6p2-2) unstable; urgency=low + + * update copyright file, closes 24136 + * review and close forwarded bugs believed fixed in this upstream version, + closes 17606, 15786. + + -- Bdale Garbee Mon, 5 Oct 1998 22:30:43 -0600 + +sudo (1.5.6p2-1) unstable; urgency=low + + * new upstream release + + -- Bdale Garbee Mon, 5 Oct 1998 22:30:43 -0600 + +sudo (1.5.4-4) frozen unstable; urgency=low + + * update postinst to use groupadd, closes 21403 + * move the suidregister stuff earlier in postinst to ensure it always runs + + -- Bdale Garbee Sun, 19 Apr 1998 22:07:45 -0600 + +sudo (1.5.4-3) frozen unstable; urgency=low + + * change /etc/sudoers from a conffile to being handled in postinst, + closes 18219 + * add suidmanager support, closes 15711 + * add '-Wno-comment' to quiet warnings from gcc upstream maintainer is + unlikely to ever fix, and which just don't matter. closes 17146 + * fix FSF address in copyright file, and submit exception for lintian + warning about sudo being setuid root + + -- Bdale Garbee Thu, 9 Apr 1998 23:59:11 -0600 + +sudo (1.5.4-2) unstable; urgency=high + + * patch from upstream author correcting/improving security fix + + -- Bdale Garbee Tue, 13 Jan 1998 10:39:35 -0700 + +sudo (1.5.4-1) unstable; urgency=high + + * new upstream version, includes a security fix + * change default editor from /bin/ae to /usr/bin/editor + + -- Bdale Garbee Mon, 12 Jan 1998 23:36:41 -0700 + +sudo (1.5.3-1) unstable; urgency=medium + + * new upstream version, closes bug 15911. + * rules file reworked to use debhelper + * implement a really gross hack to force use of the sudo-provided + lsearch(), since the one in libc6 is broken! This closes bugs + 12552, 12557, 14881, 15259, 15916. + + -- Bdale Garbee Sat, 3 Jan 1998 20:39:23 -0700 + +sudo (1.5.2-6) unstable; urgency=LOW + + * don't install INSTALL in the doc directory, closes bug 13195. + + -- Bdale Garbee Sun, 21 Sep 1997 17:10:40 -0600 + +sudo (1.5.2-5) unstable; urgency=LOW + + * libc6 + + -- Bdale Garbee Fri, 5 Sep 1997 00:06:22 -0600 + +sudo (1.5.2-4) unstable; urgency=LOW + + * change TIMEOUT (how long before you have to type your password again) + to 15 mins, disable PASSWORD_TIMEOUT. This makes building large Debian + packages on slower machines much more tolerable. Closes bug 9076. + * touch debian/suid before debstd. Closes bug 8709. + + -- Bdale Garbee Sat, 26 Apr 1997 00:48:01 -0600 + +sudo (1.5.2-3) frozen unstable; urgency=LOW + + * patch from upstream maintainer to close Bug 6828 + * add a debian/suid file to get debstd to leave my perl postinst alone + + -- Bdale Garbee Fri, 11 Apr 1997 23:09:55 -0600 + +sudo (1.5.2-2) frozen unstable; urgency=LOW + + * change rules to use -O2 -Wall as per standards + + -- Bdale Garbee Sun, 6 Apr 1997 12:48:53 -0600 + +sudo (1.5.2-1) unstable; urgency=LOW + + * new upstream version + * cosmetic changes to debian package control files + + -- Bdale Garbee Wed, 30 Oct 1996 09:50:00 -0700 + +sudo (1.5-2) unstable; urgency=LOW + + * add /usr/X11R6/bin to the end of the secure path... this makes it + much easier to run xmkmf, etc., during package builds. To the extent + that /usr/local/sbin and /usr/local/bin were already included, I see + no security reasons not to add this. + + -- Bdale Garbee Wed, 30 Oct 1996 09:44:58 -0700 + +sudo (1.5-1) unstable; urgency=LOW + + * New upstream version + * New maintainer + * New packaging format + + -- Bdale Garbee Thu, 29 Aug 1996 11:44:22 +0200 + +Tue Mar 5 09:36:41 MET 1996 Michael Meskes + + sudo (1.4.1-1): + + * hard code SECURE_PATH to: + "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" + + * enable ENV_EDITOR + + * enabled EXEMPTGROUP "sudo" + + * moved timestamp dir to /var/log/sudo + + * changed parser to check for long and short filenames (Bug#1162) + +Wed Apr 17 13:03:31 MET DST 1996 Michael Meskes + + sudo (1.4.2-1): + + * New upstream source + + * Fixed postinst script + (thanks to Peter Tobis ) + + * Removed special shadow binary. This version works with and without + shadow password file. + +Mon May 20 09:35:22 MET DST 1996 Michael Meskes + + sudo (1.4.2-2): + + * Corrected editor path to /bin/ae (Bug#3062) + + * Set file permission to 4755 for sudo and 755 for visudo (Bug#3063) + +Mon Jun 17 12:06:41 MET DST 1996 Michael Meskes + + sudo (1.4.3-1): + + * New upstream version + + * Changed sudoers permission to 440 (owner root, group root) to make + sudo usable via NFS + +Wed Jun 19 10:56:54 MET DST 1996 Michael Meskes + + sudo (1.4.3-2): + + * Applied upstream patch 1 + +Thu Jun 20 09:02:57 MET DST 1996 Michael Meskes + + sudo (1.4.3-3): + + * Applied upstream patch 2 + +Fri Jun 28 12:49:40 MET DST 1996 Michael Meskes + + sudo (1.4.3-4): + + * Applied upstream patch 3 (fixes problems with an NFS-mounted + sudoers file) + + +Sun Jun 30 13:02:44 MET DST 1996 Michael Meskes + + sudo (1.4.3-5): + + * Corrected postinst to use /usr/bin/perl instead of /bin/perl + [Reported by jdassen@wi.leidenuniv.nl (J.H.M.Dassen)] + +Wed Jul 10 12:44:33 MET DST 1996 Michael Meskes + + sudo (1.4.3-6): + + * Applied upstream patch 4 (fixes several bugs) + + * Changed priority to optional + +Thu Jul 11 19:23:52 MET DST 1996 Michael Meskes + + sudo (1.4.3-7): + + * Corrected postinst to create correct permission for /etc/sudoers + (Bug#3749) + +Fri Aug 2 10:50:53 MET DST 1996 Michael Meskes + + sudo (1.4.4-1): + + * New upstream version + + +sudo (1.4.4-2) admin; urgency=HIGH + + * Fixed major security bug reported by Peter Tobias + + * Added dchanges support to debian.rules + +sudo (1.4.5-1) admin; urgency=LOW + + * New upstream version + * Minor changes to debian.rules --- sudo-1.6.9p17.orig/debian/sudo-ldap.docs +++ sudo-1.6.9p17/debian/sudo-ldap.docs @@ -0,0 +1,11 @@ +debian/OPTIONS +BUGS +UPGRADE +PORTING +HISTORY +README +README.LDAP +TROUBLESHOOTING +sudoers2ldif +schema.iPlanet +schema.OpenLDAP --- sudo-1.6.9p17.orig/debian/sudo-ldap.dirs +++ sudo-1.6.9p17/debian/sudo-ldap.dirs @@ -0,0 +1,7 @@ +etc/pam.d +usr/bin +usr/share/man/man8 +usr/share/man/man5 +usr/sbin +usr/share/doc/sudo-ldap/examples +usr/share/lintian/overrides --- sudo-1.6.9p17.orig/debian/control +++ sudo-1.6.9p17/debian/control @@ -0,0 +1,33 @@ +Source: sudo +Section: admin +Priority: optional +Maintainer: Martin Pitt +XSBC-Original-Maintainer: Bdale Garbee +Build-Depends: debhelper (>= 5), libpam0g-dev, libldap2-dev, autotools-dev, bison, flex +Standards-Version: 3.8.0 + +Package: sudo +Architecture: any +Depends: ${shlibs:Depends}, libpam-modules +Conflicts: sudo-ldap +Replaces: sudo-ldap +Description: Provide limited super user privileges to specific users + Sudo is a program designed to allow a sysadmin to give limited root + privileges to users and log root activity. The basic philosophy is to give + as few privileges as possible but still allow people to get their work done. + . + This version is built with minimal shared library dependencies, use the + sudo-ldap package instead if you need LDAP support. + +Package: sudo-ldap +Architecture: any +Depends: ${shlibs:Depends}, libpam-modules +Conflicts: sudo +Replaces: sudo +Provides: sudo +Description: Provide limited super user privileges to specific users + Sudo is a program designed to allow a sysadmin to give limited root + privileges to users and log root activity. The basic philosophy is to give + as few privileges as possible but still allow people to get their work done. + . + This version is built with LDAP support. --- sudo-1.6.9p17.orig/debian/sudo-ldap.sudo.init +++ sudo-1.6.9p17/debian/sudo-ldap.sudo.init @@ -0,0 +1,31 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: sudo +# Required-Start: $local_fs $remote_fs +# Required-Stop: +# Default-Start: S +# Default-Stop: +### END INIT INFO + +N=/etc/init.d/sudo + +set -e + +case "$1" in + start) + # make sure privileges don't persist across reboots + if [ -d /var/run/sudo ] + then + find /var/run/sudo -exec touch -t 198501010000 '{}' \; + fi + ;; + stop|reload|restart|force-reload) + ;; + *) + echo "Usage: $N {start|stop|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 --- sudo-1.6.9p17.orig/debian/rules +++ sudo-1.6.9p17/debian/rules @@ -0,0 +1,127 @@ +#!/usr/bin/make -f + +export DH_VERBOSE=1 + +CFLAGS = -O2 -Wall -Wno-comment +ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS))) +CFLAGS += -g +endif +export CFLAGS + +config: config-stamp +config-stamp: + dh_testdir + + # simple version + mkdir -p build-simple + cd build-simple && NROFFPROG=/usr/bin/nroff ../configure \ + --prefix=/usr -v \ + --with-all-insults \ + --with-devel --with-pam --with-fqdn \ + --with-logging=syslog --with-logfac=authpriv \ + --with-env-editor --with-editor=/usr/bin/editor \ + --with-timeout=15 --with-password-timeout=0 \ + --with-passprompt="[sudo] password for %p: " \ + --disable-root-mailer --disable-setresuid \ + --with-sendmail=/usr/sbin/sendmail \ + --mandir=/usr/share/man --libexecdir=/usr/lib/sudo \ + --with-ldap-conf-file=/etc/sudo-ldap.conf \ + --without-lecture --with-tty-tickets \ + --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin" + + # LDAP version + mkdir -p build-ldap + cd build-ldap && NROFFPROG=/usr/bin/nroff ../configure \ + --prefix=/usr -v \ + --with-all-insults \ + --with-exempt=sudo --with-pam --with-ldap --with-fqdn \ + --with-logging=syslog --with-logfac=authpriv \ + --with-env-editor --with-editor=/usr/bin/vi \ + --with-timeout=15 --with-password-timeout=0 \ + --with-passprompt="[sudo] password for %p: " \ + --disable-root-mailer --disable-setresuid \ + --with-sendmail=/usr/sbin/sendmail \ + --with-ldap-conf-file=/etc/ldap/ldap.conf \ + --mandir=/usr/share/man --libexecdir=/usr/lib/sudo \ + --without-lecture --with-tty-tickets \ + --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin" + + touch config-stamp + +build: build-stamp +build-stamp: config-stamp + dh_testdir + + # ensure our pod changes get picked up + $(MAKE) -C build-simple sudoers.man.in sudo.man.in visudo.man.in + + $(MAKE) -C build-simple + $(MAKE) -C build-ldap + + touch build-stamp + +clean: + dh_testdir + dh_testroot + rm -f config-stamp build-stamp + rm -rf build-simple build-ldap + rm -f config.cache + + -test -r /usr/share/misc/config.sub && \ + cp -f /usr/share/misc/config.sub config.sub + -test -r /usr/share/misc/config.guess && \ + cp -f /usr/share/misc/config.guess config.guess + + dh_clean + +install: build-stamp + dh_testdir + dh_testroot + dh_clean -k + dh_installdirs + + $(MAKE) -C build-simple install DESTDIR=$(CURDIR)/debian/sudo + $(MAKE) -C build-ldap install DESTDIR=$(CURDIR)/debian/sudo-ldap + + # remove stuff we don't want + rm -f $(CURDIR)/debian/sudo/etc/sudoers \ + $(CURDIR)/debian/sudo-ldap/etc/sudoers + + # and install things we do want that make install doesn't know about + install -o root -g root -m 0644 $(CURDIR)/debian/sudo.pam \ + debian/sudo/etc/pam.d/sudo + install -o root -g root -m 0644 $(CURDIR)/debian/sudo.pam \ + debian/sudo-ldap/etc/pam.d/sudo + + install -o root -g root -m 0644 $(CURDIR)/debian/sudo.lintian \ + debian/sudo/usr/share/lintian/overrides/sudo + install -o root -g root -m 0644 $(CURDIR)/debian/sudo-ldap.lintian \ + debian/sudo-ldap/usr/share/lintian/overrides/sudo-ldap + + install -o root -g root -m 0644 debian/sudo_root.8 \ + debian/sudo/usr/share/man/man8/sudo_root.8 + +binary-indep: build install + +binary-arch: build install + dh_testdir + dh_testroot + dh_installdocs + dh_installexamples -A sudoers + #dh_installinit -psudo -psudo-ldap --name=sudo + dh_installmanpages fnmatch.3 + dh_installinfo -A + dh_installchangelogs CHANGES + dh_strip + dh_compress + dh_fixperms + chown root.root debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo + chmod 4755 debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo + dh_installdeb + dh_shlibdeps + dh_gencontrol + dh_md5sums + dh_builddeb + +binary: binary-indep binary-arch +.PHONY: build clean binary-indep binary-arch binary install --- sudo-1.6.9p17.orig/debian/source.lintian-overrides +++ sudo-1.6.9p17/debian/source.lintian-overrides @@ -0,0 +1,2 @@ +sudo source: maintainer-script-lacks-debhelper-token debian/postinst +sudo source: maintainer-script-lacks-debhelper-token debian/sudo-ldap.postinst --- sudo-1.6.9p17.orig/debian/copyright +++ sudo-1.6.9p17/debian/copyright @@ -0,0 +1,72 @@ +This is the Debian GNU/Linux prepackaged version of sudo. sudo is +used to provide limited super user privileges to specific users. + +Bdale Garbee maintains this package using sources from + + http://www.sudo.ws/ + +Sudo is distributed under the following BSD-style license: + + Copyright (c) 1994-1996,1998-2005,2007 Todd C. Miller + All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + + 3. The name of the author may not be used to endorse or promote products + derived from this software without specific prior written permission + from the author. + + 4. Products derived from this software may not be called "Sudo" nor + may "Sudo" appear in their names without specific prior written + permission from the author. + + THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, + INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY + AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL + THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, + EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, + PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; + OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + + +Additionally, lsearch.c, fnmatch.c, getcwd.c, snprintf.c, strcasecmp.c +and fnmatch.3 bear the following UCB license: + + Copyright (c) 1987, 1989, 1990, 1991, 1993, 1994 + The Regents of the University of California. All rights reserved. + + Redistribution and use in source and binary forms, with or without + modification, are permitted provided that the following conditions + are met: + 1. Redistributions of source code must retain the above copyright + notice, this list of conditions and the following disclaimer. + 2. Redistributions in binary form must reproduce the above copyright + notice, this list of conditions and the following disclaimer in the + documentation and/or other materials provided with the distribution. + 3. Neither the name of the University nor the names of its contributors + may be used to endorse or promote products derived from this software + without specific prior written permission. + + THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND + ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE + FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + SUCH DAMAGE. --- sudo-1.6.9p17.orig/debian/sudo-ldap.postinst +++ sudo-1.6.9p17/debian/sudo-ldap.postinst @@ -0,0 +1,64 @@ +#!/usr/bin/perl + +# remove old link + +unlink ("/etc/alternatives/sudo") if ( -l "/etc/alternatives/sudo"); + +# make sure we have a sudoers file +if ( ! -f "/etc/sudoers") { + + print "No /etc/sudoers found... creating one for you.\n"; + + open (SUDOERS, "> /etc/sudoers"); + print SUDOERS "# /etc/sudoers\n", + "#\n", + "# This file MUST be edited with the 'visudo' command as root.\n", + "#\n", + "# See the man page for details on how to write a sudoers file.\n", + "#\n\nDefaults\tenv_reset\n\n", + "# Uncomment to allow members of group sudo to not need a password\n", + "# %sudo ALL=NOPASSWD: ALL\n\n", + "# Host alias specification\n\n", + "# User alias specification\n\n", + "# Cmnd alias specification\n\n", + "# User privilege specification\nroot\tALL=(ALL) ALL\n"; + close SUDOERS; + +} + +# make sure sudoers has the correct permissions and owner/group +system ('chown root:root /etc/sudoers'); +system ('chmod 440 /etc/sudoers'); + +# must do a remove first to un-do the "bad" links created by previous version +system ('update-rc.d -f sudo remove >/dev/null 2>&1'); + +#system ('update-rc.d sudo start 75 S . >/dev/null'); + +# make sure we have a sudo group + +exit 0 if getgrnam("sudo"); # we're finished if there is a group sudo + +$gid = 27; # start searcg with gid 27 +setgrent; +while (getgrgid($gid)) { + ++$gid; +} +endgrent; + +if ($gid != 27) { + print "On Debian we normally use gid 27 for 'sudo'.\n"; + $gname = getgrgid(27); + print "However, on your system gid 27 is group '$gname'.\n\n"; + print "Would you like me to stop configuring sudo so that you can change this? [n] "; + $ans = ; + if ($ans =~ m/^[yY].*/) { + print "'dpkg --pending --configure' will restart the configuration.\n\n\n"; + exit 1; + } +} + +print "Creating group 'sudo' with gid = $gid\n"; +system("groupadd -g $gid sudo"); + +print ""; --- sudo-1.6.9p17.orig/debian/postinst +++ sudo-1.6.9p17/debian/postinst @@ -0,0 +1,66 @@ +#!/usr/bin/perl + +# remove old link + +unlink ("/etc/alternatives/sudo") if ( -l "/etc/alternatives/sudo"); + +# make sure we have a sudoers file +if ( ! -f "/etc/sudoers") { + + print "No /etc/sudoers found... creating one for you.\n"; + + open (SUDOERS, "> /etc/sudoers"); + print SUDOERS "# /etc/sudoers\n", + "#\n", + "# This file MUST be edited with the 'visudo' command as root.\n", + "#\n", + "# See the man page for details on how to write a sudoers file.\n", + "#\n\nDefaults\tenv_reset\n\n", + "# Host alias specification\n\n", + "# User alias specification\n\n", + "# Cmnd alias specification\n\n", + "# User privilege specification\nroot\tALL=(ALL) ALL\n\n", + "# Uncomment to allow members of group sudo to not need a password\n", + "# (Note that later entries override this, so you might need to move\n", + "# it further down)\n", + "# %sudo ALL=NOPASSWD: ALL\n"; + close SUDOERS; + +} + +# make sure sudoers has the correct permissions and owner/group +system ('chown root:root /etc/sudoers'); +system ('chmod 440 /etc/sudoers'); + +# must do a remove first to un-do the "bad" links created by previous version +system ('update-rc.d -f sudo remove >/dev/null 2>&1'); + +#system ('update-rc.d sudo start 75 S . >/dev/null'); + +# make sure we have a sudo group + +exit 0 if getgrnam("sudo"); # we're finished if there is a group sudo + +$gid = 27; # start searcg with gid 27 +setgrent; +while (getgrgid($gid)) { + ++$gid; +} +endgrent; + +if ($gid != 27) { + print "On Debian we normally use gid 27 for 'sudo'.\n"; + $gname = getgrgid(27); + print "However, on your system gid 27 is group '$gname'.\n\n"; + print "Would you like me to stop configuring sudo so that you can change this? [n] "; + $ans = ; + if ($ans =~ m/^[yY].*/) { + print "'dpkg --pending --configure' will restart the configuration.\n\n\n"; + exit 1; + } +} + +print "Creating group 'sudo' with gid = $gid\n"; +system("groupadd -g $gid sudo"); + +print ""; --- sudo-1.6.9p17.orig/debian/prerm +++ sudo-1.6.9p17/debian/prerm @@ -0,0 +1,45 @@ +#!/bin/sh + +set -e + +check_password() { + if [ ! "$SUDO_FORCE_REMOVE" = "yes" ]; then + # let's check whether the root account is locked. + # if it is, we're not going another step. No Sirreee! + passwd=$(getent shadow root|cut -f2 -d:) + passwd1=$(echo "$passwd" |cut -c1) + # Note: we do need the 'xfoo' syntax here, since POSIX special-cases + # the $passwd value '!' as negation. + if [ "x$passwd" = "x*" ] || [ "x$passwd1" = "x!" ]; then + # yup, password is locked + echo "You have asked that the sudo package be removed," + echo "but no root password has been set." + echo "Without sudo, you may not be able to gain administrative privileges." + echo + echo "If you would prefer to access the root account with su(1)" + echo "or by logging in directly," + echo "you must set a root password with \"sudo passwd\"." + echo + echo "If you have arranged other means to access the root account," + echo "and you are sure this is what you want," + echo "you may bypass this check by setting an environment variable " + echo "(export SUDO_FORCE_REMOVE=yes)." + echo + echo "Refusing to remove sudo." + exit 1 + fi + fi +} + +case $1 in + remove) + check_password; + ;; + *) + ;; +esac + +#DEBHELPER# + +exit 0 + --- sudo-1.6.9p17.orig/debian/docs +++ sudo-1.6.9p17/debian/docs @@ -0,0 +1,7 @@ +debian/OPTIONS +BUGS +UPGRADE +PORTING +HISTORY +README +TROUBLESHOOTING --- sudo-1.6.9p17.orig/debian/dirs +++ sudo-1.6.9p17/debian/dirs @@ -0,0 +1,7 @@ +etc/pam.d +usr/bin +usr/share/man/man8 +usr/share/man/man5 +usr/sbin +usr/share/doc/sudo/examples +usr/share/lintian/overrides --- sudo-1.6.9p17.orig/debian/sudo.pam +++ sudo-1.6.9p17/debian/sudo.pam @@ -0,0 +1,7 @@ +#%PAM-1.0 + +@include common-auth +@include common-account + +session required pam_permit.so +session required pam_limits.so --- sudo-1.6.9p17.orig/debian/OPTIONS +++ sudo-1.6.9p17/debian/OPTIONS @@ -0,0 +1,59 @@ +The following options were used to configure sudo for Debian GNU/Linux. + + --with-devel + + Force flex and bison runs on each build. + + --with-pam + + Support for pluggable authentication modules. + + --with-ldap + + Support for LDAP authentication, in the sudo-ldap package version only. + + --with-fqdn + + Allow use of fully qualified domain names in the sudoers file. + + --disable-root-mailer + + Send mail as the invoking user, not as root. + + --with-logging=syslog + --with-logfac=authpriv + + Where logging information goes. + + --with-env-editor + --with-editor=/usr/bin/editor + + Honor the EDITOR and VISUAL environment variables. If they are not + present, default to the preferred systemwide default editor. + + --with-timeout=15 + --with-password-timeout=0 + + Allow 15 minutes before a user has to re-type their passord, versus + the sudo usual default of 5. Never time out while waiting for a + password to be typed, this is a seriously big deal for Debian package + developers using 'dpkg-buildpackage -rsudo'. + + --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:\ + /sbin:/bin:/usr/X11R6/bin" + + Give a reasonable default path for commands run as root via sudo. + + --with-all-insults + + Include all the insults in the binary, won't be enabled unless turned + on in the sudoers file. + + --with-sendmail=/usr/sbin/sendmail + + Use Debian policy to know the location of sendmail instead of trying + to detect it at build time. + + --disable-setresuid + + Linux 2.2 kernels don't support setresgid. --- sudo-1.6.9p17.orig/debian/sudo.lintian +++ sudo-1.6.9p17/debian/sudo.lintian @@ -0,0 +1,2 @@ +sudo: setuid-binary usr/bin/sudo 4755 root/root +sudo: setuid-binary usr/bin/sudoedit 4755 root/root --- sudo-1.6.9p17.orig/debian/NEWS +++ sudo-1.6.9p17/debian/NEWS @@ -0,0 +1,9 @@ +sudo (1.6.8p12-5) unstable; urgency=low + + The sudo package is no longer configured --with-exempt=sudo. If you + depend on members of group sudo being able to run sudo without needing + a password, you will need to put "%sudo ALL=NOPASSWD: ALL" in + /etc/sudoers to preserve equivalent functionality. + + -- Bdale Garbee Tue, 3 Apr 2007 21:13:39 -0600 + --- sudo-1.6.9p17.orig/debian/sudo.sudo.init +++ sudo-1.6.9p17/debian/sudo.sudo.init @@ -0,0 +1,31 @@ +#! /bin/sh + +### BEGIN INIT INFO +# Provides: sudo +# Required-Start: $local_fs $remote_fs +# Required-Stop: +# Default-Start: S +# Default-Stop: +### END INIT INFO + +N=/etc/init.d/sudo + +set -e + +case "$1" in + start) + # make sure privileges don't persist across reboots + if [ -d /var/run/sudo ] + then + find /var/run/sudo -exec touch -t 198501010000 '{}' \; + fi + ;; + stop|reload|restart|force-reload) + ;; + *) + echo "Usage: $N {start|stop|restart|force-reload}" >&2 + exit 1 + ;; +esac + +exit 0 --- sudo-1.6.9p17.orig/debian/sudo_root.8 +++ sudo-1.6.9p17/debian/sudo_root.8 @@ -0,0 +1,138 @@ +.TH sudo_root 8 "February 8, 2006" + +.SH NAME +sudo_root \- How to run administrative commands + +.SH SYNOPSIS + +.B sudo +.I command + +.B sudo \-i + +.SH INTRODUCTION + +By default, the password for the user "root" (the system +administrator) is locked. This means you cannot login as root or use +su. Instead, the installer will set up sudo to allow the user that is +created during install to run all administrative commands. + +This means that in the terminal you can use sudo for commands that +require root privileges. All programs in the menu will use a graphical +sudo to prompt for a password. When sudo asks for a password, it needs +.B your password, +this means that a root password is not needed. + +To run a command which requires root privileges in a terminal, simply +prepend +.B sudo +in front of it. To get an interactive root shell, use +.B sudo \-i\fR. + +.SH ALLOWING OTHER USERS TO RUN SUDO + +By default, only the user who installed the system is permitted to run +sudo. To add more administrators, i. e. users who can run sudo, you +have to add these users to the group 'admin' by doing one of the +following steps: + +.IP * 2 +In a shell, do + +.RS 4 +.B sudo adduser +.I username +.B admin +.RE + +.IP * 2 +Use the graphical "Users & Groups" program in the "System settings" +menu to add the new user to the +.B admin +group. + +.SH BENEFITS OF USING SUDO + +The benefits of leaving root disabled by default include the following: + +.IP * 2 +Users do not have to remember an extra password, which they are likely to forget. +.IP * 2 +The installer is able to ask fewer questions. +.IP * 2 +It avoids the "I can do anything" interactive login by default \- you +will be prompted for a password before major changes can happen, which +should make you think about the consequences of what you are doing. +.IP * 2 +Sudo adds a log entry of the command(s) run (in \fB/var/log/auth.log\fR). +.IP * 2 +Every attacker trying to brute\-force their way into your box will +know it has an account named root and will try that first. What they +do not know is what the usernames of your other users are. +.IP * 2 +Allows easy transfer for admin rights, in a short term or long term +period, by adding and removing users from the admin group, while not +compromising the root account. +.IP * 2 +sudo can be set up with a much more fine\-grained security policy. +.IP * 2 +On systems with more than one administrator using sudo avoids sharing +a password amongst them. + +.SH DOWNSIDES OF USING SUDO + +Although for desktops the benefits of using sudo are great, there are +possible issues which need to be noted: + +.IP * 2 +Redirecting the output of commands run with sudo can be confusing at +first. For instance consider + +.RS 4 +.B sudo ls > /root/somefile +.RE + +.RS 2 +will not work since it is the shell that tries to write to that file. You can use +.RE + +.RS 4 +.B ls | sudo tee /root/somefile +.RE + +.RS 2 +to get the behaviour you want. +.RE + +.IP * 2 +In a lot of office environments the ONLY local user on a system is +root. All other users are imported using NSS techniques such as +nss\-ldap. To setup a workstation, or fix it, in the case of a network +failure where nss\-ldap is broken, root is required. This tends to +leave the system unusable. An extra local user, or an enabled root +password is needed here. + +.SH GOING BACK TO A TRADITIONAL ROOT ACCOUNT + +.B This is not recommended! + +To enable the root account (i.e. set a password) use: + +.RS 4 +.B sudo passwd root +.RE + +Afterwards, edit the sudo configuration with +.B sudo visudo +and comment out the line + +.RS 4 +%admin ALL=(ALL) ALL +.RE + +to disable sudo access to members of the admin group. + +.SH SEE ALSO +.BR sudo (8), +.B https://wiki.ubuntu.com/RootSudo + --- sudo-1.6.9p17.orig/debian/compat +++ sudo-1.6.9p17/debian/compat @@ -0,0 +1 @@ +5