[arch-commits] Commit in sudo/repos (12 files)
Evangelos Foutras
foutrelis at archlinux.org
Wed Sep 6 19:32:44 UTC 2017
Date: Wednesday, September 6, 2017 @ 19:32:43
Author: foutrelis
Revision: 304761
archrelease: copy trunk to testing-i686, testing-x86_64
Added:
sudo/repos/testing-i686/
sudo/repos/testing-i686/PKGBUILD
(from rev 304760, sudo/trunk/PKGBUILD)
sudo/repos/testing-i686/fix-pam-prompt.patch
(from rev 304760, sudo/trunk/fix-pam-prompt.patch)
sudo/repos/testing-i686/fix-usage-of-signal-pipe.patch
(from rev 304760, sudo/trunk/fix-usage-of-signal-pipe.patch)
sudo/repos/testing-i686/sudo.install
(from rev 304760, sudo/trunk/sudo.install)
sudo/repos/testing-i686/sudo.pam
(from rev 304760, sudo/trunk/sudo.pam)
sudo/repos/testing-x86_64/
sudo/repos/testing-x86_64/PKGBUILD
(from rev 304760, sudo/trunk/PKGBUILD)
sudo/repos/testing-x86_64/fix-pam-prompt.patch
(from rev 304760, sudo/trunk/fix-pam-prompt.patch)
sudo/repos/testing-x86_64/fix-usage-of-signal-pipe.patch
(from rev 304760, sudo/trunk/fix-usage-of-signal-pipe.patch)
sudo/repos/testing-x86_64/sudo.install
(from rev 304760, sudo/trunk/sudo.install)
sudo/repos/testing-x86_64/sudo.pam
(from rev 304760, sudo/trunk/sudo.pam)
-----------------------------------------------+
testing-i686/PKGBUILD | 82 ++++++++++++++++++++++++
testing-i686/fix-pam-prompt.patch | 66 +++++++++++++++++++
testing-i686/fix-usage-of-signal-pipe.patch | 51 ++++++++++++++
testing-i686/sudo.install | 9 ++
testing-i686/sudo.pam | 4 +
testing-x86_64/PKGBUILD | 82 ++++++++++++++++++++++++
testing-x86_64/fix-pam-prompt.patch | 66 +++++++++++++++++++
testing-x86_64/fix-usage-of-signal-pipe.patch | 51 ++++++++++++++
testing-x86_64/sudo.install | 9 ++
testing-x86_64/sudo.pam | 4 +
10 files changed, 424 insertions(+)
Copied: sudo/repos/testing-i686/PKGBUILD (from rev 304760, sudo/trunk/PKGBUILD)
===================================================================
--- testing-i686/PKGBUILD (rev 0)
+++ testing-i686/PKGBUILD 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,82 @@
+# $Id$
+# Maintainer: Evangelos Foutras <evangelos at foutrelis.com>
+# Contributor: Allan McRae <allan at archlinux.org>
+# Contributor: Tom Newsom <Jeepster at gmx.co.uk>
+
+pkgname=sudo
+_sudover=1.8.21p1
+pkgver=${_sudover/p/.p}
+pkgrel=3
+pkgdesc="Give certain users the ability to run some commands as root"
+arch=('i686' 'x86_64')
+url="https://www.sudo.ws/sudo/"
+license=('custom')
+groups=('base-devel')
+depends=('glibc' 'libgcrypt' 'pam' 'libldap')
+backup=('etc/sudoers' 'etc/pam.d/sudo')
+install=$pkgname.install
+source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig}
+ fix-pam-prompt.patch
+ fix-usage-of-signal-pipe.patch
+ sudo.pam)
+sha256sums=('ee50d3a249a96b1c5c8d3d21380eb96c63c6e61a888b13e3c2b941b23ab7c808'
+ 'SKIP'
+ 'fc9a37c533664ecfdc7715812e9a93f39891e6fc3d72c23858bee33ac27fcebe'
+ '10af762129cf88b3036a30e6c1d19ec69b70911161d4f419fd5b86f160a1a4f1'
+ 'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2')
+validpgpkeys=('CCB24BE9E9481B15D34159535A89DFA27EE470C4')
+
+prepare() {
+ cd "$srcdir/$pkgname-$_sudover"
+
+ # https://bugzilla.sudo.ws/show_bug.cgi?id=799
+ patch -Np1 -i ../fix-pam-prompt.patch
+
+ # https://bugzilla.sudo.ws/show_bug.cgi?id=800
+ patch -Np1 -i ../fix-usage-of-signal-pipe.patch
+}
+
+build() {
+ cd "$srcdir/$pkgname-$_sudover"
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --libexecdir=/usr/lib \
+ --with-rundir=/run/sudo \
+ --with-vardir=/var/db/sudo \
+ --with-logfac=auth \
+ --enable-gcrypt \
+ --enable-tmpfiles.d \
+ --with-pam \
+ --with-sssd \
+ --with-ldap \
+ --with-ldap-conf-file=/etc/openldap/ldap.conf \
+ --with-env-editor \
+ --with-passprompt="[sudo] password for %p: " \
+ --with-all-insults
+ make
+}
+
+check() {
+ cd "$srcdir/$pkgname-$_sudover"
+ make check
+}
+
+package() {
+ cd "$srcdir/$pkgname-$_sudover"
+ make DESTDIR="$pkgdir" install
+
+ # Remove sudoers.dist; not needed since pacman manages updates to sudoers
+ rm "$pkgdir/etc/sudoers.dist"
+
+ # Remove /run/sudo directory; we create it using systemd-tmpfiles
+ rmdir "$pkgdir/run/sudo"
+ rmdir "$pkgdir/run"
+
+ install -Dm644 "$srcdir/sudo.pam" "$pkgdir/etc/pam.d/sudo"
+
+ install -Dm644 doc/LICENSE "$pkgdir/usr/share/licenses/sudo/LICENSE"
+}
+
+# vim:set ts=2 sw=2 et:
Copied: sudo/repos/testing-i686/fix-pam-prompt.patch (from rev 304760, sudo/trunk/fix-pam-prompt.patch)
===================================================================
--- testing-i686/fix-pam-prompt.patch (rev 0)
+++ testing-i686/fix-pam-prompt.patch 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,66 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller at courtesan.com>
+# Date 1504625419 21600
+# Node ID 6ee5cc13af69f4248dfa1d89215e7c95fa90d051
+# Parent 7e6bf56cb06cfdc82f5b636ebe2851cfeda50f17
+Fix a logic error in 96651906de42 which prevented sudo from using
+the PAM-supplied prompt. Bug #799
+
+diff -r 7e6bf56cb06c -r 6ee5cc13af69 plugins/sudoers/auth/pam.c
+--- a/plugins/sudoers/auth/pam.c Fri Sep 01 14:09:43 2017 -0600
++++ b/plugins/sudoers/auth/pam.c Tue Sep 05 09:30:19 2017 -0600
+@@ -435,28 +435,32 @@
+ size_t user_len;
+ debug_decl(use_pam_prompt, SUDOERS_DEBUG_AUTH)
+
+- if (!def_passprompt_override) {
+- /* If sudo prompt matches "^Password: ?$", use PAM prompt. */
+- if (PROMPT_IS_PASSWORD(def_prompt))
+- debug_return_bool(true);
+-
+- /* If PAM prompt matches "^Password: ?$", use sudo prompt. */
+- if (PAM_PROMPT_IS_PASSWORD(pam_prompt))
+- debug_return_bool(false);
++ /* Always use sudo prompt if passprompt_override is set. */
++ if (def_passprompt_override)
++ debug_return_bool(false);
+
+- /*
+- * Some PAM modules use "^username's Password: ?$" instead of
+- * "^Password: ?" so check for that too.
+- */
+- user_len = strlen(user_name);
+- if (strncmp(pam_prompt, user_name, user_len) == 0) {
+- const char *cp = pam_prompt + user_len;
+- if (strncmp(cp, "'s Password:", 12) == 0 &&
+- (cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0')))
+- debug_return_bool(false);
+- }
++ /* If sudo prompt matches "^Password: ?$", use PAM prompt. */
++ if (PROMPT_IS_PASSWORD(def_prompt))
++ debug_return_bool(true);
++
++ /* If PAM prompt matches "^Password: ?$", use sudo prompt. */
++ if (PAM_PROMPT_IS_PASSWORD(pam_prompt))
++ debug_return_bool(false);
++
++ /*
++ * Some PAM modules use "^username's Password: ?$" instead of
++ * "^Password: ?" so check for that too.
++ */
++ user_len = strlen(user_name);
++ if (strncmp(pam_prompt, user_name, user_len) == 0) {
++ const char *cp = pam_prompt + user_len;
++ if (strncmp(cp, "'s Password:", 12) == 0 &&
++ (cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0')))
++ debug_return_bool(false);
+ }
+- debug_return_bool(false);
++
++ /* Otherwise, use the PAM prompt. */
++ debug_return_bool(true);
+ }
+
+ /*
+
Copied: sudo/repos/testing-i686/fix-usage-of-signal-pipe.patch (from rev 304760, sudo/trunk/fix-usage-of-signal-pipe.patch)
===================================================================
--- testing-i686/fix-usage-of-signal-pipe.patch (rev 0)
+++ testing-i686/fix-usage-of-signal-pipe.patch 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,51 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller at courtesan.com>
+# Date 1504722576 21600
+# Node ID 7668f93e6544c762e6753590426ca882c0a373a5
+# Parent 6ee5cc13af69f4248dfa1d89215e7c95fa90d051
+The read and write sides of signal_pipe[] were swapped, resulting
+in EBADF reading from and writing to the signal pipe on Linux and
+probably others. On systems with bidirectional pipes this was not
+an issue.
+
+diff -r 6ee5cc13af69 -r 7668f93e6544 lib/util/event.c
+--- a/lib/util/event.c Tue Sep 05 09:30:19 2017 -0600
++++ b/lib/util/event.c Wed Sep 06 12:29:36 2017 -0600
+@@ -153,7 +153,7 @@
+ }
+ if (nread == -1 && errno != EAGAIN) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+- "%s: error reading from signal pipe", __func__);
++ "%s: error reading from signal pipe fd %d", __func__, fd);
+ }
+
+ /* Activate signal events. */
+@@ -182,7 +182,7 @@
+ "%s: unable to create signal pipe", __func__);
+ goto bad;
+ }
+- sudo_ev_init(&base->signal_event, base->signal_pipe[1],
++ sudo_ev_init(&base->signal_event, base->signal_pipe[0],
+ SUDO_EV_READ|SUDO_EV_PERSIST, signal_pipe_cb, base);
+
+ debug_return_int(0);
+@@ -341,7 +341,7 @@
+ signal_base->signal_caught = 1;
+
+ /* Wake up the other end of the pipe. */
+- ignore_result(write(signal_base->signal_pipe[0], &ch, 1));
++ ignore_result(write(signal_base->signal_pipe[1], &ch, 1));
+ }
+ }
+
+@@ -622,7 +622,7 @@
+ if (errno == EINTR) {
+ /* Interrupted by signal, check for sigevents. */
+ if (base->signal_caught) {
+- signal_pipe_cb(base->signal_pipe[1], SUDO_EV_READ, base);
++ signal_pipe_cb(base->signal_pipe[0], SUDO_EV_READ, base);
+ break;
+ }
+ continue;
+
Copied: sudo/repos/testing-i686/sudo.install (from rev 304760, sudo/trunk/sudo.install)
===================================================================
--- testing-i686/sudo.install (rev 0)
+++ testing-i686/sudo.install 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,9 @@
+pre_upgrade() {
+ # Permissions of /var/db/sudo were changed from 0700 to 0711 in sudo 1.8.10
+ # http://www.sudo.ws/repos/sudo/rev/5c38d77a2d0c
+ if (($(vercmp $2 1.8.10-1) < 0)); then
+ chmod 0711 var/db/sudo
+ fi
+}
+
+# vim:set ts=2 sw=2 et:
Copied: sudo/repos/testing-i686/sudo.pam (from rev 304760, sudo/trunk/sudo.pam)
===================================================================
--- testing-i686/sudo.pam (rev 0)
+++ testing-i686/sudo.pam 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+session include system-auth
Copied: sudo/repos/testing-x86_64/PKGBUILD (from rev 304760, sudo/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,82 @@
+# $Id$
+# Maintainer: Evangelos Foutras <evangelos at foutrelis.com>
+# Contributor: Allan McRae <allan at archlinux.org>
+# Contributor: Tom Newsom <Jeepster at gmx.co.uk>
+
+pkgname=sudo
+_sudover=1.8.21p1
+pkgver=${_sudover/p/.p}
+pkgrel=3
+pkgdesc="Give certain users the ability to run some commands as root"
+arch=('i686' 'x86_64')
+url="https://www.sudo.ws/sudo/"
+license=('custom')
+groups=('base-devel')
+depends=('glibc' 'libgcrypt' 'pam' 'libldap')
+backup=('etc/sudoers' 'etc/pam.d/sudo')
+install=$pkgname.install
+source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig}
+ fix-pam-prompt.patch
+ fix-usage-of-signal-pipe.patch
+ sudo.pam)
+sha256sums=('ee50d3a249a96b1c5c8d3d21380eb96c63c6e61a888b13e3c2b941b23ab7c808'
+ 'SKIP'
+ 'fc9a37c533664ecfdc7715812e9a93f39891e6fc3d72c23858bee33ac27fcebe'
+ '10af762129cf88b3036a30e6c1d19ec69b70911161d4f419fd5b86f160a1a4f1'
+ 'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2')
+validpgpkeys=('CCB24BE9E9481B15D34159535A89DFA27EE470C4')
+
+prepare() {
+ cd "$srcdir/$pkgname-$_sudover"
+
+ # https://bugzilla.sudo.ws/show_bug.cgi?id=799
+ patch -Np1 -i ../fix-pam-prompt.patch
+
+ # https://bugzilla.sudo.ws/show_bug.cgi?id=800
+ patch -Np1 -i ../fix-usage-of-signal-pipe.patch
+}
+
+build() {
+ cd "$srcdir/$pkgname-$_sudover"
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --libexecdir=/usr/lib \
+ --with-rundir=/run/sudo \
+ --with-vardir=/var/db/sudo \
+ --with-logfac=auth \
+ --enable-gcrypt \
+ --enable-tmpfiles.d \
+ --with-pam \
+ --with-sssd \
+ --with-ldap \
+ --with-ldap-conf-file=/etc/openldap/ldap.conf \
+ --with-env-editor \
+ --with-passprompt="[sudo] password for %p: " \
+ --with-all-insults
+ make
+}
+
+check() {
+ cd "$srcdir/$pkgname-$_sudover"
+ make check
+}
+
+package() {
+ cd "$srcdir/$pkgname-$_sudover"
+ make DESTDIR="$pkgdir" install
+
+ # Remove sudoers.dist; not needed since pacman manages updates to sudoers
+ rm "$pkgdir/etc/sudoers.dist"
+
+ # Remove /run/sudo directory; we create it using systemd-tmpfiles
+ rmdir "$pkgdir/run/sudo"
+ rmdir "$pkgdir/run"
+
+ install -Dm644 "$srcdir/sudo.pam" "$pkgdir/etc/pam.d/sudo"
+
+ install -Dm644 doc/LICENSE "$pkgdir/usr/share/licenses/sudo/LICENSE"
+}
+
+# vim:set ts=2 sw=2 et:
Copied: sudo/repos/testing-x86_64/fix-pam-prompt.patch (from rev 304760, sudo/trunk/fix-pam-prompt.patch)
===================================================================
--- testing-x86_64/fix-pam-prompt.patch (rev 0)
+++ testing-x86_64/fix-pam-prompt.patch 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,66 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller at courtesan.com>
+# Date 1504625419 21600
+# Node ID 6ee5cc13af69f4248dfa1d89215e7c95fa90d051
+# Parent 7e6bf56cb06cfdc82f5b636ebe2851cfeda50f17
+Fix a logic error in 96651906de42 which prevented sudo from using
+the PAM-supplied prompt. Bug #799
+
+diff -r 7e6bf56cb06c -r 6ee5cc13af69 plugins/sudoers/auth/pam.c
+--- a/plugins/sudoers/auth/pam.c Fri Sep 01 14:09:43 2017 -0600
++++ b/plugins/sudoers/auth/pam.c Tue Sep 05 09:30:19 2017 -0600
+@@ -435,28 +435,32 @@
+ size_t user_len;
+ debug_decl(use_pam_prompt, SUDOERS_DEBUG_AUTH)
+
+- if (!def_passprompt_override) {
+- /* If sudo prompt matches "^Password: ?$", use PAM prompt. */
+- if (PROMPT_IS_PASSWORD(def_prompt))
+- debug_return_bool(true);
+-
+- /* If PAM prompt matches "^Password: ?$", use sudo prompt. */
+- if (PAM_PROMPT_IS_PASSWORD(pam_prompt))
+- debug_return_bool(false);
++ /* Always use sudo prompt if passprompt_override is set. */
++ if (def_passprompt_override)
++ debug_return_bool(false);
+
+- /*
+- * Some PAM modules use "^username's Password: ?$" instead of
+- * "^Password: ?" so check for that too.
+- */
+- user_len = strlen(user_name);
+- if (strncmp(pam_prompt, user_name, user_len) == 0) {
+- const char *cp = pam_prompt + user_len;
+- if (strncmp(cp, "'s Password:", 12) == 0 &&
+- (cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0')))
+- debug_return_bool(false);
+- }
++ /* If sudo prompt matches "^Password: ?$", use PAM prompt. */
++ if (PROMPT_IS_PASSWORD(def_prompt))
++ debug_return_bool(true);
++
++ /* If PAM prompt matches "^Password: ?$", use sudo prompt. */
++ if (PAM_PROMPT_IS_PASSWORD(pam_prompt))
++ debug_return_bool(false);
++
++ /*
++ * Some PAM modules use "^username's Password: ?$" instead of
++ * "^Password: ?" so check for that too.
++ */
++ user_len = strlen(user_name);
++ if (strncmp(pam_prompt, user_name, user_len) == 0) {
++ const char *cp = pam_prompt + user_len;
++ if (strncmp(cp, "'s Password:", 12) == 0 &&
++ (cp[12] == '\0' || (cp[12] == ' ' && cp[13] == '\0')))
++ debug_return_bool(false);
+ }
+- debug_return_bool(false);
++
++ /* Otherwise, use the PAM prompt. */
++ debug_return_bool(true);
+ }
+
+ /*
+
Copied: sudo/repos/testing-x86_64/fix-usage-of-signal-pipe.patch (from rev 304760, sudo/trunk/fix-usage-of-signal-pipe.patch)
===================================================================
--- testing-x86_64/fix-usage-of-signal-pipe.patch (rev 0)
+++ testing-x86_64/fix-usage-of-signal-pipe.patch 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,51 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller at courtesan.com>
+# Date 1504722576 21600
+# Node ID 7668f93e6544c762e6753590426ca882c0a373a5
+# Parent 6ee5cc13af69f4248dfa1d89215e7c95fa90d051
+The read and write sides of signal_pipe[] were swapped, resulting
+in EBADF reading from and writing to the signal pipe on Linux and
+probably others. On systems with bidirectional pipes this was not
+an issue.
+
+diff -r 6ee5cc13af69 -r 7668f93e6544 lib/util/event.c
+--- a/lib/util/event.c Tue Sep 05 09:30:19 2017 -0600
++++ b/lib/util/event.c Wed Sep 06 12:29:36 2017 -0600
+@@ -153,7 +153,7 @@
+ }
+ if (nread == -1 && errno != EAGAIN) {
+ sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO|SUDO_DEBUG_ERRNO,
+- "%s: error reading from signal pipe", __func__);
++ "%s: error reading from signal pipe fd %d", __func__, fd);
+ }
+
+ /* Activate signal events. */
+@@ -182,7 +182,7 @@
+ "%s: unable to create signal pipe", __func__);
+ goto bad;
+ }
+- sudo_ev_init(&base->signal_event, base->signal_pipe[1],
++ sudo_ev_init(&base->signal_event, base->signal_pipe[0],
+ SUDO_EV_READ|SUDO_EV_PERSIST, signal_pipe_cb, base);
+
+ debug_return_int(0);
+@@ -341,7 +341,7 @@
+ signal_base->signal_caught = 1;
+
+ /* Wake up the other end of the pipe. */
+- ignore_result(write(signal_base->signal_pipe[0], &ch, 1));
++ ignore_result(write(signal_base->signal_pipe[1], &ch, 1));
+ }
+ }
+
+@@ -622,7 +622,7 @@
+ if (errno == EINTR) {
+ /* Interrupted by signal, check for sigevents. */
+ if (base->signal_caught) {
+- signal_pipe_cb(base->signal_pipe[1], SUDO_EV_READ, base);
++ signal_pipe_cb(base->signal_pipe[0], SUDO_EV_READ, base);
+ break;
+ }
+ continue;
+
Copied: sudo/repos/testing-x86_64/sudo.install (from rev 304760, sudo/trunk/sudo.install)
===================================================================
--- testing-x86_64/sudo.install (rev 0)
+++ testing-x86_64/sudo.install 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,9 @@
+pre_upgrade() {
+ # Permissions of /var/db/sudo were changed from 0700 to 0711 in sudo 1.8.10
+ # http://www.sudo.ws/repos/sudo/rev/5c38d77a2d0c
+ if (($(vercmp $2 1.8.10-1) < 0)); then
+ chmod 0711 var/db/sudo
+ fi
+}
+
+# vim:set ts=2 sw=2 et:
Copied: sudo/repos/testing-x86_64/sudo.pam (from rev 304760, sudo/trunk/sudo.pam)
===================================================================
--- testing-x86_64/sudo.pam (rev 0)
+++ testing-x86_64/sudo.pam 2017-09-06 19:32:43 UTC (rev 304761)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+session include system-auth
More information about the arch-commits
mailing list