%define statusdir /var/run/control
%def_enable python
%def_with selinux
%def_with audit
Name: sudo
Version: 1.9.15p1
Release: alt1
Epoch: 1
Summary: Allows command execution as another user
License: ISC
Group: System/Base
Url: https://www.sudo.ws
# ftp://ftp.courtesan.com/pub/sudo/sudo-%version.tar.gz
Source: sudo-%version.tar
Source1: pam.conf
Source2: sudo.control
Source3: sudoers.control
Source4: sudoreplay.control
Source5: sudowheel.control
Source6: sudopw.config
Source7: sudopw.control
Patch: sudo-%version-alt.patch
PreReq: control
Requires: vitmp
Provides: %_sysconfdir/sudoers.d
# Automatically added by buildreq on Wed Apr 09 2003
BuildRequires: flex libpam-devel perl-podlators
# Due check of man pages type
BuildRequires: /usr/bin/nroff
BuildRequires: libcap-devel
%{?_with_selinux:BuildRequires: libselinux-devel}
%{?_with_audit:BuildRequires: libaudit-devel}
BuildRequires: python3-dev
%define _libexecdir %_prefix/libexec/sudo
Summary(ru_RU.UTF-8): Запускает команды в контексте другого пользователя
%description
Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity. The basic philosophy is
to give as few privileges as possible but still allow people to get
their work done.
%description -l ru_RU.UTF-8
Sudo - программа, разработанная в помощь системному администратору
делегировать те или иные привилегированные ресурсы пользователям,
с ведением протокола их деятельности. Основная идея - делегировать
как можно меньше прав, но ровно столько, сколько необходимо для
решения поставленных задач.
%package logsrvd
Summary: High-performance log server for %name
Group: System/Servers
Requires: %name = %epoch:%version-%release
%description logsrvd
%name-logsrvd is a high-performance log server that accepts event and I/O logs from sudo.
It can be used to implement centralized logging of sudo logs.
%package python
Summary: Python plugin for %name
Group: Development/Python
Requires: %name = %epoch:%version-%release
%description python
The %name-python package contains sudo python policy plugin.
%package devel
Summary: Development files for %name
Group: Development/C
Requires: %name = %epoch:%version-%release
BuildArch: noarch
%description devel
The %name-devel package contains header files developing sudo
plugins that use %name.
%description devel -l ru_RU.UTF-8
Пакет %name-devel содержит заголовочные файлы для разработки расширений
для програмы %name.
%prep
%setup
%patch -p1
%build
./autogen.sh
export ac_cv_prog_NROFFPROG=nroff
configure_options='
--with-logging=syslog
--with-logfac=authpriv
--enable-shell-sets-home
--enable-log-host
--disable-rpath
--with-pam
--with-ignore-dot
--with-env-editor
--with-tty-tickets
--with-sudoers-mode=0400
--with-editor=/bin/vitmp
--with-sendmail=/usr/sbin/sendmail
--with-sssd
%{subst_with selinux}
%{?_with_audit:--with-linux-audit}
--disable-shared-libutil
--enable-static-sudoers
%{subst_enable python}
--docdir=%_datadir/doc/%name-%version
--with-plugindir=%_libdir/sudo
--libexecdir=%_libdir
--with-secure-path=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin'
%configure $configure_options --with-passprompt='[sudo] password for %%p:'
%make_build
%install
%makeinstall_std INSTALL_OWNER=
install -pD -m600 %SOURCE1 %buildroot%_sysconfdir/pam.d/sudo
mkdir -p %buildroot%_sysconfdir/sudoers.d
install -pD -m644 %SOURCE6 %buildroot%_sysconfdir/sudoers.d/99-sudopw
chmod u+rwx %buildroot%prefix/*bin/*
install -pD -m755 %SOURCE2 %buildroot%_controldir/sudo
install -pD -m755 %SOURCE3 %buildroot%_controldir/sudoers
install -pD -m755 %SOURCE4 %buildroot%_controldir/sudoreplay
install -pD -m755 %SOURCE5 %buildroot%_controldir/sudowheel
install -pD -m755 %SOURCE7 %buildroot%_controldir/sudopw
bzip2 -9 %buildroot%_datadir/doc/%name-%version/ChangeLog
%find_lang sudo
%find_lang sudoers
cat sudo.lang sudoers.lang > sudo_all.lang
rm sudo.lang sudoers.lang
rm -f %buildroot%_libdir/sudo/*.la %buildroot%_libdir/*.so
mv %buildroot%_sysconfdir/sudoers.dist %buildroot%_datadir/doc/%name-%version/
%pre
%pre_control sudo
%pre_control sudoers
if [ -f "%_controldir/sudoreplay" ]; then
%pre_control sudoreplay
fi
if [ -f "%_controldir/sudowheel" ]; then
%pre_control sudowheel
fi
if [ -f "%_controldir/sudopw" ]; then
%pre_control sudopw
fi
%post
if [ -f %_sysconfdir/sudoers.d/99-sudopw.rpmnew ]; then
mv -f %_sysconfdir/sudoers.d/99-sudopw.rpmnew %_sysconfdir/sudoers.d_99-sudopw.rpmnew
echo "warning: created config %_sysconfdir/sudoers.d/99-sudopw.rpmnew"
echo " has been moved as %_sysconfdir/sudoers.d_99-sudopw.rpmnew"
fi
%post_control -s wheelonly sudo
%post_control -s strict sudoers
if [ ! -f "%statusdir/sudoreplay" ]; then
%pre_control sudoreplay
fi
%post_control -s wheelonly sudoreplay
if [ ! -f "%statusdir/sudowheel" ]; then
%pre_control sudowheel
fi
%post_control -s disabled sudowheel
if [ ! -f "%statusdir/sudopw" ]; then
%pre_control sudopw
fi
%post_control -s default sudopw
%triggerpostun -- %name < 1:1.8.0
cp -a %_sysconfdir/sudoers %_sysconfdir/sudoers.rpmsave
if ! grep -q '^#includedir %_sysconfdir/sudoers.d$' %_sysconfdir/sudoers; then
if [ -d %_sysconfdir/sudoers.d ]; then
echo "WARNING: %_sysconfdir/sudoers.d directory no longer supported indirectly"
echo "Update %_sysconfdir/sudoers with next line:"
echo "#includedir %_sysconfdir/sudoers.d"
echo
echo >>%_sysconfdir/sudoers
echo "# Automatically updates by rpm:" >>%_sysconfdir/sudoers
echo "#includedir %_sysconfdir/sudoers.d" >>%_sysconfdir/sudoers
fi
fi
if ! grep -q '^#includedir %_sysconfdir/sudo.d$' %_sysconfdir/sudoers; then
if [ -d %_sysconfdir/sudo.d ]; then
echo "WARNING: %_sysconfdir/sudo.d compat directory no longer supported indirectly"
if [ "$(ls -A %_sysconfdir/sudo.d)" ]; then
echo "Update %_sysconfdir/sudoers with next line:"
echo "#includedir %_sysconfdir/sudo.d"
echo >>%_sysconfdir/sudoers
echo "# Automatically updates by rpm:" >>%_sysconfdir/sudoers
echo "#includedir %_sysconfdir/sudo.d" >>%_sysconfdir/sudoers
fi
echo
fi
fi
%files -f sudo_all.lang
%config %_controldir/sudo*
%config(noreplace) %_sysconfdir/sudoers.d/99-sudopw
%attr(600,root,root) %config(noreplace) %_sysconfdir/sudo.conf
%attr(400,root,root) %config(noreplace) %_sysconfdir/sudoers
%attr(600,root,root) %config(noreplace) %_sysconfdir/pam.d/sudo
%_bindir/sudoedit
%dir %_libdir/sudo
%if_with selinux
%_libdir/sudo/sesh
%endif
%_libdir/sudo/*.so*
%if_enabled python
%exclude %_libdir/sudo/python_plugin.so
%endif
%attr(700,root,root) %_bindir/sudo
%attr(700,root,root) %_bindir/sudoreplay
%attr(755,root,root) %_sbindir/visudo
%attr(700,root,root) %_sysconfdir/sudoers.d
%_bindir/cvtsudoers
%_mandir/man?/*
%exclude %_man5dir/sudo_plugin.5*
%if_enabled python
%exclude %_man5dir/sudo_plugin_python.5*
%endif
%exclude %_man5dir/sudo_logsrv.proto.5*
%exclude %_man5dir/sudo_logsrvd.conf.5*
%exclude %_man8dir/sudo_logsrvd.8*
%exclude %_man8dir/sudo_sendlog.8*
%_datadir/doc/%name-%version/
%files logsrvd
%attr(600,root,root) %config(noreplace) %_sysconfdir/sudo_logsrvd.conf
%_sbindir/sudo_logsrvd
%_sbindir/sudo_sendlog
%_man5dir/sudo_logsrv.proto.5*
%_man5dir/sudo_logsrvd.conf.5*
%_man8dir/sudo_logsrvd.8*
%_man8dir/sudo_sendlog.8*
%if_enabled python
%files python
%_libdir/sudo/python_plugin.so
%_man5dir/sudo_plugin_python.5*
%endif
%files devel
%doc plugins/sample/sample_plugin.c
%_includedir/sudo_plugin.h
%_man5dir/sudo_plugin.5*
%changelog
* Wed Nov 08 2023 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.15p1-alt1
- Update to latest stable bugfix and security release (fixes: CVE-2023-42465):
+ The sudoers plugin has been modified to make it more resilient to ROWHAMMER
attacks on authentication and policy matching.
+ The sudoers plugin now constructs the user time stamp file path name using
the user-ID instead of the user name. This avoids a potential problem with
user names that contain a path separator ('/') being interpreted as part of
the path name. A similar issue in sudo-rs has been assigned CVE-2023-42456.
- Fixes in behavior:
+ The visudo utility will no longer create an empty file when the specified
sudoers file does not exist and the user exits the editor without making any
changes (GitHub#294).
+ Fixed a bug where output could go to the wrong terminal if "use_pty" is
enabled (the default) and the standard input, output or error is redirected
to a different terminal. Bug #1056.
+ A path separator ('/') in a user, group or host name is now replaced with an
underbar character ('_') when expanding escapes in @include and @includedir
directives as well as the "iolog_file" and "iolog_dir" sudoers Default
settings.
- Fixes in user output:
+ Running "sudo -ll command" now produces verbose output that includes matching
rule as well as the path to the sudoers file the matching rule came from.
+ Changes to terminal settings are now performed atomically, where possible.
If the command is being run in a pseudo-terminal and the user's terminal is
already in raw mode, sudo will not change the user's terminal settings. This
prevents concurrent sudo processes from restoring the terminal settings to
the wrong values (GitHub#312).
+ Better log message when rejecting a command if the "intercept" option is
enabled and the "intercept_allow_setid" option is disabled. Previously,
"command not allowed" would be logged and the user had no way of knowing
what the actual problem was.
- Fixes in logging:
+ The sudoers source is now logged in the JSON event log. This makes it
possible to tell which rule resulted in a match.
+ Sudo will now log the invoking user's environment as "submitenv" in the JSON
logs. The command's environment ("runenv") is no longer logged for commands
rejected by the sudoers file or an approval plugin.
+ The sudo_logsrvd server will now raise its open file descriptor limit to the
maximum allowed value when it starts up. Each connection can require up to
nine open file descriptors so the default soft limit may be too low.
- Fixed regressions:
+ Fixed the warning message for "sudo -l command" when the command is not
permitted. There was a missing space between "list" and the actual command
due to changes in sudo 1.9.14.
+ The "intercept_verify" sudoers option is now only applied when the
"intercept" option is set in sudoers. Previously, it was also applied when
"log_subcmds" was enabled. Sudo 1.9.14 contained an incorrect fix for this.
+ Reverted a change from sudo 1.9.4 that resulted in PAM session modules being
called with the environment of the command to be run instead of the
environment of the invoking user (GitHub#318).
* Sat Sep 23 2023 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.14p3-alt1
- Update to latest stable release with regressions fixes.
- Fixed a bug introduced in sudo 1.9.14 that affects matching sudoers rules
containing a Runas_Spec with an empty Runas user.
- Fixed a problem with "stair-stepped" output when piping or redirecting the
output of a sudo command that takes user input.
- Fixed a crash introduced in version 1.9.14 when running a command with a NULL
argv[0] if "log_subcmds" or "intercept" is enabled in sudoers.
- Adapted the sudo Python plugin test output to match Python 3.12.
* Fri Sep 22 2023 Ivan A. Melnikov <iv@altlinux.org> 1:1.9.14p1-alt2.1
- NMU: Add knobs for building w/o selinux and audit (thx asheplyakov@).
* Fri Jul 14 2023 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.14p1-alt2
- Disable build of shared libutil.
- Enable build with static sudoers.
* Thu Jul 13 2023 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.14p1-alt1
- Sudo now requires a C compiler that conforms to ISO C99 or higher to build.
- Fixed a bug where if the "intercept" or "log_subcmds" sudoers option was
enabled and a sub-command was run where the first entry of the argument
vector didn't match the command being run.
- The "intercept_verify" sudoers option is now only applied when the "intercept"
option is set in sudoers. Previously, it was also applied when "log_subcmds"
was enabled.
- The sudoers plugin now canonicalizes command path names before matchin.
- Improved command matching when a chroot is specified in sudoers.
- The visudo utility now displays a warning when it ignores a file in an
include dir such as /etc/sudoers.d.
- When running a command in a pseudo-terminal, sudo will initialize the terminal
settings even if it is the background process.
- Fixed a bug where only the first two digits of the TSID field being was logged.
- The "log_pty" sudoers option is now enabled by default. To restore the historic
behavior where a command is run in the user's terminal, add "Defaults !use_pty"
to the sudoers file.
- Sudo's "-b" option now works when the command is run in a pseudo-terminal.
- When disabling core dumps, sudo now only modifies the soft limit and leaves
the hard limit as-is. This avoids problems on Linux when sudo does not have
CAP_SYS_RESOURCE, which may be the case when run inside a container.
- Sudo configuration file paths have been converted to colon-separated lists of
paths. This makes it possible to have configuration files on a read-only file
system while still allowing for local modifications in a different (writable)
directory.
- Fixed a long-standing bug where a sudoers rule without an explicit runas list
allowed the user to run a command as root and any group instead of just one of
the groups that root is a member of.
- Fixed a bug where a sudoers rule with an explicit runas list allowed a user to
run sudo commands as themselves.
- Fixed a bug that prevented the user from specifying a group on the command line
via "sudo -g" if the rule's Runas_Spec contained a Runas_Alias.
- Fixed regressions in sudo 1.9.13:
+ Fixed a bug that resulted in a missing " ; " separator between environment
variables and the command in log entries.
* Mon Apr 17 2023 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.13p3-alt1
- Update to latest stable release with regressions.
- Fixed a bug that could cause sudo to hang when running a command
in a pseudo-terminal when there is still input buffered after a
command has exited.
- Fixed regressions in sudo 1.9.13:
+ Fixed a bug introduced in sudo 1.9.13 that caused a syntax error
when "list" was used as a user or host name (GitHub #246).
+ Fixed "sudo -U otheruser -l command" (GitHub #248).
+ Fixed "sudo -l command args" when matching a command in sudoers
with command line arguments (GitHub #249).
* Mon Feb 27 2023 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.13p2-alt1
- Update to latest stable release.
- Fix run_time message validation in logsrvd.
- Fixed a potential double-free bug when matching a sudoers rule
that contains a per-command chroot directive (CHROOT=dir).
* Mon Feb 20 2023 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.13p1-alt1
- Update to latest stable release.
- Fixed potential memory leaks in error paths (GitHub#199, GitHub#202).
- Fixed potential NULL dereferences on memory allocation failure (GitHub#204,
GitHub#211).
- A missing include file in sudoers is no longer a fatal error
unless the error_recovery plugin argument has been set to false.
- Fixed a bug running relative commands via sudo when "log_subcmds"
is enabled (GitHub#194).
- Fixed a signal handling bug when running sudo commands in a shell
script. Signals were not being forwarded to the command when
the sudo process was not run in its own process group.
- Added a reminder to the default lecture that the password will
not echo. This line is only displayed when the pwfeedback option
is disabled (GitHub#195).
- Regular expressions in sudoers or logsrvd.conf may no longer contain
consecutive repetition operators. This is implementation-specific behavior
according to POSIX, but some implementations will allocate excessive amounts
of memory. This mainly affects the fuzzers.
- Sudo no longer checks the ownership and mode of the plugins that it loads.
Plugins are configured via either the sudo.conf or sudoers file which are
trusted configuration files.
- Fixed a bug executing a command with a very long argument vector when
"log_subcmds" or "intercept" is enabled on a system where "intercept_type"
is set to "trace" (GitHub#194).
* Sun Jan 22 2023 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.12p2-alt1
- Update to latest stable bugfix and security release (closes: 44965).
- Fixed a compilation error on Linux/aarch64 (GitHub#197).
- Fixed a potential crash introduced in the fix for (GitHub#134):
+ If a user's sudoers entry did not have any RunAs user's set, running
"sudo -U otheruser -l" would dereference a NULL pointer.
- Fixed a bug introduced in sudo 1.9.12 that could prevent sudo from creating
a I/O files when the "iolog_file" sudoers setting contains six or more Xs.
- Fixed security issue (fixes: CVE-2023-22809), a flaw in sudo's -e option (aka
sudoedit) that could allow a malicious user with sudoedit privileges to edit
arbitrary files.
* Mon Nov 07 2022 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.12p1-alt1
- Update to latest stable bugfix and security release (fixes: CVE-2022-43995).
- Major improvements from latest Sisyphus release:
+ For ptrace-based intercept mode, sudo will now attempt to verify that the
command path name, arguments and environment have not changed from the time
when they were authorized by the security policy. The new intercept_verify
sudoers setting can be used to control this behavior.
+ Sudo now supports passing the execve(2) system call the NULL pointer for the
argv and/or envp arguments when in intercept mode. Linux treats a NULL pointer
like an empty array.
+ Neovim has been added to the list of visudo editors that support passing the
line number on the command line.
+ Added a new -N (no-update) command line option to sudo which can be used to
prevent sudo from updating the user's cached credentials.
+ PAM approval modules are no longer invoked when running sub-commands in
intercept mode unless the intercept_authenticate option is set. There is a
substantial performance penalty for calling into PAM for each command run.
PAM approval modules are still called for the initial command.
+ Intercept mode on Linux now uses process_vm_readv(2) and process_vm_writev(2)
if available.
+ The XDG_CURRENT_DESKTOP environment variable is now preserved by default.
This makes it possible for graphical applications to choose the correct theme
when run via sudo.
+ The cvtsudoers manual now documents the JSON and CSV output formats.
+ The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout sudoers
settings can be used to support more fine-grained I/O logging. The sudo
front-end no longer allocates a pseudo-terminal when running a command if the
I/O logging plugin requests logging of stdin, stdout, or stderr but not
terminal input/output.
+ Added the -I option to visudo which only edits the main sudoers file.
Include files are not edited unless a syntax error is found.
* Mon Nov 07 2022 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.11p3-alt4
- Rebuild with upstream sources from https://github.com/sudo-project/sudo
(manual import of archives no more needed).
* Mon Oct 24 2022 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.11p3-alt3
- Add sudopw control with rule Defaults for user, root, target or runas type
of user account password credentials that are verified during authentication.
* Fri Oct 21 2022 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.11p3-alt2
- Fix sudowheel control to be more flexible and supported the default 'ALL:ALL'
Runas_Spec with group alias specified.
- Fix initialization error in post-scripts for sudoreplay and sudowheel controls
during first installation process (closes: 41907).
* Thu Oct 20 2022 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.11p3-alt1
- Update to latest stable release.
- Major improvemnents from latest Sisyphus release:
+ Added new log_passwords and passprompt_regex settings to sudo_logsrvd that
operate like the sudoers options when logging terminal input.
+ A new noninteractive_auth sudoers option has been added to enable PAM
authentication in non-interactive mode.
+ When sudo is run in non-interactive mode (with the -n option), it will now
attempt PAM authentication and only exit with an error if user interaction is
required.
+ The intercept and log_subcmds functionality can now use ptrace(2) on Linux
systems that support seccomp(2) filtering.
- Tweak default password prompt as %%u doesn't make sense. Improve it by old fix
from Patrick Schoenfeld that adds a %%p and uses it by default (closes: 38612).
* Mon Oct 11 2021 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.8p2-alt1
- Fixed minor troubles and regressions.
* Thu Sep 16 2021 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.8-alt1
- Update to latest stable release with support transparently intercepting
sub-commands executed by the original command run via sudo.
* Sat Sep 11 2021 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.7p2-alt1
- Update to latest stable release with bugfixes and improvements:
+ Sudo now can handle the getgroups() function returning a different
number of groups for subsequent invocations.
* Fri May 14 2021 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.7-alt1
- Update to latest stable release
* Fri May 14 2021 Nikolai Kostrigin <nickel@altlinux.org> 1:1.9.6p1-alt2
- Fix missing word typo in Russian translation file
* Thu Mar 25 2021 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.6p1-alt1
- Update to latest bugfix release of the sudo 1.9
* Wed Jan 27 2021 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.5p2-alt2
- Set sudo python plugin to be definable and enabled by default
* Wed Jan 27 2021 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.5p2-alt1
- Update to latest security release (fixes: CVE-2021-3156) (closes: 39615)
- Added sudo-python package with Sudo Python Plugin API
- Added sudo-logsrvd package with High-performance log server
* Fri Nov 13 2020 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.3p1-alt1
- Update to latest release
- Enable python policy support
* Sun Aug 30 2020 Evgeny Sinelnikov <sin@altlinux.org> 1:1.9.2-alt1
- Update to latest release of the sudo 1.9 (Fixes: CVE-2019-19232, CVE-2019-19234)
- Added sudo event and I/O log server
- Added send sudo I/O log to log server utility
- Added selinux support
- Added native audit support
* Sun Aug 30 2020 Evgeny Sinelnikov <sin@altlinux.org> 1:1.8.31p2-alt1
- Update to latest release (Fixes: CVE-2019-18634)
* Tue Oct 15 2019 Evgeny Sinelnikov <sin@altlinux.org> 1:1.8.28-alt1
- Update to autumn security release (closes: 37334)
- Code execution with euid==0 in rare box configurations (fixes: CVE-2019-14287)
- Fix post script for sudowheel control in case of upgrade in not default state
* Thu Apr 11 2019 Evgeny Sinelnikov <sin@altlinux.org> 1:1.8.27-alt1
- Update to last winter release
* Fri Dec 07 2018 Evgeny Sinelnikov <sin@altlinux.org> 1:1.8.26-alt1
- Update to last autumn release
- Fix post script for sudowheel control (closes: 35611)
* Thu Nov 08 2018 Evgeny Sinelnikov <sin@altlinux.org> 1:1.8.25p1-alt2
- Reapply replace libsudo_util.so to libexecdir (avoid rpath in binaries)
- Set sudowheel control with rule "ALL=(ALL) ALL" for wheel users disabled
by default (closes: 18344)
* Tue Nov 06 2018 Evgeny Sinelnikov <sin@altlinux.org> 1:1.8.25p1-alt1
- Update to latest release
- Disable ubt macros due binary package identity change
- Replace libsudo_util.so to libexecdir
- Add new cvtsudoers utility
* Fri Apr 27 2018 Evgeny Sinelnikov <sin@altlinux.org> 1:1.8.22-alt1
- Update to latest winter release
- Add sudowheel control with rule "ALL=(ALL) ALL" for wheel users enabled
by default (closes: 18344)
* Thu Nov 23 2017 Evgeny Sinelnikov <sin@altlinux.org> 1:1.8.21p2-alt1
- Update to latest autumn release
* Fri Jun 02 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.20p2-alt1
- Update to first summer security release
* Wed May 31 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.20p1-alt1
- Update to spring security release ((Fixes: CVE-2017-1000367)
* Mon May 29 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.20-alt1
- Update to latest spring release
* Tue Jan 10 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.19p1-alt6
- Add compatibility trigger for /etc/sudoers.d and /etc/sudo.d
- Avoid sudoreplay pre and post control warnings
* Mon Jan 02 2017 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.19p1-alt5
- Add warning if /etc/sudo.d directory exixsts
* Wed Dec 28 2016 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.19p1-alt4
- Disable sudo rule for root by default
* Tue Dec 27 2016 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.19p1-alt3
- Fixed relaxed control rule for sudoers
* Mon Dec 26 2016 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.19p1-alt2
- Build without *.la files in modules directory
* Wed Dec 21 2016 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.19p1-alt1
- Updated to last stable release 1.8.19p1 with sssd features
* Thu Aug 04 2016 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.17p1-alt2
- Fixed new sudoers template with sudoers.control settings
* Thu Jul 28 2016 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.17p1-alt1
- Updated to last stable release 1.8.17p1
* Tue Jun 30 2015 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.13-alt1
- Updated to last stable release 1.8.13
* Mon Jan 27 2014 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.9p4-alt1
- Updated to last stable release 1.8.9p4
* Mon Oct 07 2013 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.8-alt1
- Updated to new relrease 1.8.8
* Fri Oct 04 2013 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.6p8-alt1
- Updated to 1.8.6p8
* Tue Feb 12 2013 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.6p6-alt1
- Updated to 1.8.6p6
* Wed Jan 16 2013 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.6p4-alt1
- Updated to 1.8.6p4
* Wed Dec 19 2012 Evgeny Sinelnikov <sin@altlinux.ru> 1:1.8.6p3-alt1
- Updated to 1.8.6p3
- Enabled /etc/sudoers.d by default (for new installations)
- Added sudo-devel package for plugin development
* Fri Jul 13 2012 Vitaly Kuznetsov <vitty@altlinux.ru> 1:1.6.8p12-alt12
- Dropped /etc/sudo.d from package and Provides, handling left for
compatibility.
* Thu Jul 12 2012 Vitaly Kuznetsov <vitty@altlinux.ru> 1:1.6.8p12-alt11
- Implemented /etc/sudoers.d support to provide upstream-compatibility
/etc/sudo.d support left for backward compatibility.
* Thu Jul 12 2012 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt10
- Fixed generation of man pages (by george@; closes: #27479).
* Thu May 24 2012 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt9
- Relocated sudo timestamp directory: /var/run/sudo -> /var/lib/sudo.
* Tue Jun 01 2010 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt8
- Backported upstream fix for CVE-2010-1163 (env_reset, ignore_dot and
secure_path sudoers options all had to be explicitly disabled
to make an attack possible).
- Backported upstream fix for CVE-2010-1646 (env_reset sudoers option
had to be explicitly disabled to make an attack possible).
* Tue Feb 23 2010 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt7
- Backported upstream fix for CVE-2010-0426 (a flaw in sudoedit could
give a user with permission to run sudoedit the ability to run
arbitrary commands; env_reset sudoers option had to be
explicitly disabled to make an attack possible).
* Wed May 06 2009 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt6
- Fixed build with fresh libtool.
* Mon Jan 21 2008 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt5
- Documented that set_home is on by default due to --enable-shell-sets-home.
- Configured less confusing default password prompt (#13719).
- Fixed build with autoconf-2.61.
* Sat Aug 04 2007 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt4
- Fixed typo in configure check (george, #12449, #12462).
- sudoers (#11753):
+ Added DISPLAY and XAUTHORITY to env_keep for "xgrp" group members.
+ Added "!env_reset" example.
+ Added sudoers environment control.
* Tue May 22 2007 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt3
- Forced manpage generation from .pod files.
- sudoers: Added "DISPLAY" to env_keep.
* Sat May 05 2007 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt2
- Reverted change to requiretty default value.
- Resurrected tgetpass fix from 1.6.6-alt3.
* Tue Apr 17 2007 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.8p12-alt1
- Updated to 1.6.8p12 with backports from HEAD.
- Enabled env_reset, requiretty and tty_tickets options by default.
* Thu Jan 12 2006 ALT QA Team Robot <qa-robot@altlinux.org> 1:1.6.7p5-alt6.1
- Rebuilt for new style PAM dependencies generated by rpm-build-4.0.4-alt55.
* Fri Aug 26 2005 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.7p5-alt6
- Added system logger initialization, removed closelog() calls.
* Tue Jun 21 2005 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.7p5-alt5
- Backported upstream fix so a sudoers entry with sudo ALL no longer
overwrites the value of safe_cmnd (CAN-2005-1993).
* Fri Nov 12 2004 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.7p5-alt4
- Backported upstream fix that restricts exporting of shell functions
and CDPATH shell variable (CAN-2004-1051).
- Added help to control.
* Thu Mar 11 2004 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.7p5-alt3
- Changed "listpw" default value from "any" to "all".
* Wed Mar 10 2004 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.7p5-alt2
- Fixed build with fresh autotools.
* Tue Jul 29 2003 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.7p5-alt1
- Updated to 1.6.7p5.
* Sat May 24 2003 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.7p2-alt2
- PAM configuration policy enforcement.
* Tue Apr 08 2003 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.7p2-alt1
- Updated to 1.6.7p2, updated patches.
- Enable setting $HOME to target user in shell mode.
- Keep sudo at mode "restricted" in the package, but default it
to "wheelonly" in %post when the package is first installed.
This avoids a race and fail-open behavior (like in su package).
* Thu Oct 17 2002 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.6-alt4
- Added control support for sudo.
* Sun Sep 01 2002 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.6-alt3
- tgetpass: The /dev/tty _must_ be opened for reading/writing unless
requested to use stdin/stderr.
* Fri May 17 2002 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.6-alt2
- Set default visudo(8) editor to vitmp(1).
* Mon May 13 2002 Dmitry V. Levin <ldv@altlinux.org> 1:1.6.6-alt1
- 1.6.6
* Fri Apr 19 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.5p2-alt3
- Applied patch from Tom Parker.
* Mon Jan 28 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.5p2-alt2
- Added %_sysconfdir/sudo.d
* Thu Jan 24 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.5p2-alt1
- 1.6.5p2.
- Built with --disable-saved-ids.
* Thu Jan 24 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.5p1-alt2
- Rebuilt with bison-1.31-alt2.
* Mon Jan 21 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.5p1-alt1
- 1.6.5p1.
* Thu Jan 17 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.5-alt1
- 1.6.5 final.
* Tue Jan 15 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.4-alt2
- Fixed nasty typo in description.
* Mon Jan 14 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.4-alt1
- 1.6.4 final.
* Sun Jan 13 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.4-alt0.1rc4
- 1.6.4rc4, which fixes set_perms_posix problem.
* Sat Jan 12 2002 Dmitry V. Levin <ldv@alt-linux.org> 1:1.6.4-alt0.1rc3
- 1.6.4rc3, updated patches.
- Explicitly set sudoers mode to 0400.
- Disabled broken set_perms_posix introduced in new version.
- Cleaned up list of linked libraries.
* Sun Apr 22 2001 Dmitry V. Levin <ldv@altlinux.ru> 1.6.3p7-ipl3mdk
- Fixed progname usage.
- Fixed SECURE_PATH.
- Enabled: --with-secure-path --with-env-editor --with-editor=/bin/vi.
- Implemented optional sudoers file for visudo.
- implemented sudoers lookup in %_sysconfdir/sudo.d directory.
* Mon Mar 05 2001 Dmitry V. Levin <ldv@fandra.org> 1.6.3p7-ipl2mdk
- Corrected license information.
* Sat Mar 03 2001 Dmitry V. Levin <ldv@fandra.org> 1.6.3p7-ipl1mdk
- 1.6.3p7
* Tue Feb 20 2001 Dmitry V. Levin <ldv@fandra.org> 1.6.3p6-ipl1mdk
- 1.6.3p6
* Wed Feb 14 2001 Dmitry V. Levin <ldv@fandra.org> 1.6.3p5-ipl5mdk
- Added set of PAM_TTY.
* Wed Dec 27 2000 Dmitry V. Levin <ldv@fandra.org> 1.6.3p5-ipl4mdk
- Commented out translations in specfile for a while.
* Fri Oct 13 2000 Dmitry V. Levin <ldv@fandra.org> 1.6.3p5-ipl3mdk
- Updated pam configuration.
- Changed syslog facility to log with from local2 to authpriv.
* Fri Sep 01 2000 Dmitry V. Levin <ldv@fandra.org> 1.6.3p5-ipl2mdk
- Russian translations.
* Mon Aug 14 2000 Dmitry V. Levin <ldv@fandra.org> 1.6.3p5-ipl1mdk
- 1.6.3p5
* Wed Jun 07 2000 Dmitry V. Levin <ldv@fandra.org> 1.6.3p4-ipl1mdk
- 1.6.3p4
* Mon May 15 2000 Dmitry V. Levin <ldv@fandra.org> 1.6.3p3-ipl1mdk
- 1.6.3p3
* Thu May 04 2000 Dmitry V. Levin <ldv@fandra.org>
- Fandra adaptions
* Fri Apr 07 2000 Chmouel Boudjnah <chmouel@mandrakesoft.com> 1.6.2p2-3mdk
- Set /etc/sudoers as 0440.
* Fri Apr 7 2000 Denis Havlik <denis@mandrakesoft.com> 1.6.2p2-2mdk
- Group: System/Base
- fixed config files
* Mon Feb 28 2000 Chmouel Boudjnah <chmouel@mandrakesoft.com> 1.6.2p2-1mdk
- 1.62p2.
* Wed Feb 9 2000 Chmouel Boudjnah <chmouel@mandrakesoft.com> 1.6.2p1-1mdk
- 1.6.2p1.
- specs teak.
* Thu Jul 29 1999 Chmouel Boudjnah <chmouel@mandrakesoft.com>
- Mandrake adaptations.
* Fri Jun 4 1999 Ryan Weaver <ryanw@infohwy.com>
[sudo-1.5.9p3-1]
- Updated to version 1.5.9p3
- Changed RPM name from cu-sudo tp sudo.
* Fri Jun 4 1999 Ryan Weaver <ryanw@infohwy.com>
[cu-sudo-1.5.9p2-1]
- Added dir /var/run/sudo to file list.
- Added --enable-log-host --disable-log-wrap to configure.
- Added --with-logging=file to configure.
- Added logrotate.d file to rotate /var/log/sudo.log monthly.
* Fri Jun 4 1999 Ryan Weaver <ryanw@infohwy.com>
[cu-sudo-1.5.9p2-1]
- Initial RPM build.
- Installing sample pam file.