[arch-commits] Commit in sudo/trunk (PKGBUILD disable-non-interative-auth.patch)
Evangelos Foutras
foutrelis at gemini.archlinux.org
Wed Feb 2 08:10:28 UTC 2022
Date: Wednesday, February 2, 2022 @ 08:10:27
Author: foutrelis
Revision: 435754
upgpkg: sudo 1.9.9-2: disable non-interactive auth
https://github.com/sudo-project/sudo/issues/131
Added:
sudo/trunk/disable-non-interative-auth.patch
Modified:
sudo/trunk/PKGBUILD
-----------------------------------+
PKGBUILD | 5 +
disable-non-interative-auth.patch | 142 ++++++++++++++++++++++++++++++++++++
2 files changed, 146 insertions(+), 1 deletion(-)
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2022-02-02 07:13:57 UTC (rev 435753)
+++ PKGBUILD 2022-02-02 08:10:27 UTC (rev 435754)
@@ -4,7 +4,7 @@
pkgname=sudo
_sudover=1.9.9
-pkgrel=1
+pkgrel=2
pkgver=${_sudover/p/.p}
pkgdesc="Give certain users the ability to run some commands as root"
arch=('x86_64')
@@ -19,15 +19,18 @@
install=$pkgname.install
source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig}
sudo_logsrvd.service
+ disable-non-interative-auth.patch
sudo.pam)
sha256sums=('6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00'
'SKIP'
'8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1'
+ '094387d71f6866ff85ab1cccbdf685f97c02a803eb01b41c80c52918785db85c'
'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2')
validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB')
prepare() {
cd "$srcdir/$pkgname-$_sudover"
+ patch -Np1 -i ../disable-non-interative-auth.patch
}
build() {
Added: disable-non-interative-auth.patch
===================================================================
--- disable-non-interative-auth.patch (rev 0)
+++ disable-non-interative-auth.patch 2022-02-02 08:10:27 UTC (rev 435754)
@@ -0,0 +1,142 @@
+From df5f61eb240b9ae1b67faad8f143a488c5c8f206 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller at sudo.ws>
+Date: Tue, 1 Feb 2022 20:08:26 -0700
+Subject: [PATCH] Add sudoers option to perform authentication even in
+ non-interative mode. If noninteractive_auth is set, authentication methods
+ that do not require input from the user's terminal may proceed. It is off by
+ default, which restores the pre-1.9.9 behavior of "sudo -n".
+
+(cherry picked from commit 85fef8b50f0847f4fce39a7fead9aae767be1dca)
+---
+ docs/sudoers.man.in | 17 +++++++++++++++++
+ docs/sudoers.mdoc.in | 16 ++++++++++++++++
+ plugins/sudoers/check.c | 6 ++++++
+ plugins/sudoers/def_data.c | 4 ++++
+ plugins/sudoers/def_data.h | 2 ++
+ plugins/sudoers/def_data.in | 3 +++
+ plugins/sudoers/defaults.c | 1 +
+ 7 files changed, 49 insertions(+)
+
+diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in
+index 67ca7cec6..f7e53cfe7 100644
+--- a/docs/sudoers.man.in
++++ b/docs/sudoers.man.in
+@@ -3214,6 +3214,23 @@ This flag is
+ \fIoff\fR
+ by default.
+ .TP 18n
++noninteractive_auth
++If set, authentication will be attempted even in non-interactive mode
++(when
++\fBsudo\fR's
++\fB\-n\fR
++option is specified).
++This allows authentication methods that don't require user interaction
++to succeed.
++Authentication methods that require input from the user's terminal
++will still fail.
++If disabled, authentication will not be attempted in non-interactive mode.
++This flag is
++\fIoff\fR
++by default.
++.sp
++This setting is only supported by version 1.9.10 or higher.
++.TP 18n
+ pam_acct_mgmt
+ On systems that use PAM for authentication,
+ \fBsudo\fR
+diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
+index 1b9ea07cf..38b83b9af 100644
+--- a/docs/sudoers.mdoc.in
++++ b/docs/sudoers.mdoc.in
+@@ -3027,6 +3027,22 @@ section at the end of this manual.
+ This flag is
+ .Em off
+ by default.
++.It noninteractive_auth
++If set, authentication will be attempted even in non-interactive mode
++(when
++.Nm sudo Ns 's
++.Fl n
++option is specified).
++This allows authentication methods that don't require user interaction
++to succeed.
++Authentication methods that require input from the user's terminal
++will still fail.
++If disabled, authentication will not be attempted in non-interactive mode.
++This flag is
++.Em off
++by default.
++.Pp
++This setting is only supported by version 1.9.10 or higher.
+ .It pam_acct_mgmt
+ On systems that use PAM for authentication,
+ .Nm sudo
+diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
+index 2ba18d27e..25a2087b0 100644
+--- a/plugins/sudoers/check.c
++++ b/plugins/sudoers/check.c
+@@ -125,6 +125,12 @@ check_user_interactive(int validated, int mode, struct getpass_closure *closure)
+ FALLTHROUGH;
+
+ default:
++ if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) {
++ validated |= FLAG_NO_USER_INPUT;
++ log_auth_failure(validated, 0);
++ goto done;
++ }
++
+ /* XXX - should not lecture if askpass helper is being used. */
+ lectured = display_lecture(closure->tstat);
+
+diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
+index 0afddace8..2398f3c28 100644
+--- a/plugins/sudoers/def_data.c
++++ b/plugins/sudoers/def_data.c
+@@ -645,6 +645,10 @@ struct sudo_defs_types sudo_defs_table[] = {
+ "rlimit_stack", T_RLIMIT|T_BOOL,
+ N_("The maximum size to which the process's stack may grow (in bytes): %s"),
+ NULL,
++ }, {
++ "noninteractive_auth", T_FLAG,
++ N_("Attempt authentication even when in non-interactive mode"),
++ NULL,
+ }, {
+ NULL, 0, NULL
+ }
+diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
+index 25bf3a71d..ae9182921 100644
+--- a/plugins/sudoers/def_data.h
++++ b/plugins/sudoers/def_data.h
+@@ -300,6 +300,8 @@
+ #define def_rlimit_rss (sudo_defs_table[I_RLIMIT_RSS].sd_un.str)
+ #define I_RLIMIT_STACK 149
+ #define def_rlimit_stack (sudo_defs_table[I_RLIMIT_STACK].sd_un.str)
++#define I_NONINTERACTIVE_AUTH 150
++#define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
+index 8309779f7..03ed95607 100644
+--- a/plugins/sudoers/def_data.in
++++ b/plugins/sudoers/def_data.in
+@@ -466,3 +466,6 @@ rlimit_rss
+ rlimit_stack
+ T_RLIMIT|T_BOOL
+ "The maximum size to which the process's stack may grow (in bytes): %s"
++noninteractive_auth
++ T_FLAG
++ "Attempt authentication even when in non-interactive mode"
+diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
+index b7979f37e..53c2dc2a9 100644
+--- a/plugins/sudoers/defaults.c
++++ b/plugins/sudoers/defaults.c
+@@ -571,6 +571,7 @@ init_defaults(void)
+ def_log_denied = true;
+ def_log_format = sudo;
+ def_runas_allow_unknown_id = false;
++ def_noninteractive_auth = false;
+
+ /* Syslog options need special care since they both strings and ints */
+ #if (LOGGING & SLOG_SYSLOG)
More information about the arch-commits
mailing list