[arch-commits] Commit in sudo/trunk (PKGBUILD disable-non-interative-auth.patch)

Evangelos Foutras foutrelis at gemini.archlinux.org
Wed Feb 2 08:10:28 UTC 2022 

    Date: Wednesday, February 2, 2022 @ 08:10:27
  Author: foutrelis
Revision: 435754

upgpkg: sudo 1.9.9-2: disable non-interactive auth

https://github.com/sudo-project/sudo/issues/131

Added:
  sudo/trunk/disable-non-interative-auth.patch
Modified:
  sudo/trunk/PKGBUILD

-----------------------------------+
 PKGBUILD                          |    5 +
 disable-non-interative-auth.patch |  142 ++++++++++++++++++++++++++++++++++++
 2 files changed, 146 insertions(+), 1 deletion(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2022-02-02 07:13:57 UTC (rev 435753)
+++ PKGBUILD	2022-02-02 08:10:27 UTC (rev 435754)
@@ -4,7 +4,7 @@
 
 pkgname=sudo
 _sudover=1.9.9
-pkgrel=1
+pkgrel=2
 pkgver=${_sudover/p/.p}
 pkgdesc="Give certain users the ability to run some commands as root"
 arch=('x86_64')
@@ -19,15 +19,18 @@
 install=$pkgname.install
 source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig}
         sudo_logsrvd.service
+        disable-non-interative-auth.patch
         sudo.pam)
 sha256sums=('6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00'
             'SKIP'
             '8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1'
+            '094387d71f6866ff85ab1cccbdf685f97c02a803eb01b41c80c52918785db85c'
             'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2')
 validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB')
 
 prepare() {
   cd "$srcdir/$pkgname-$_sudover"
+  patch -Np1 -i ../disable-non-interative-auth.patch
 }
 
 build() {

Added: disable-non-interative-auth.patch
===================================================================
--- disable-non-interative-auth.patch	                        (rev 0)
+++ disable-non-interative-auth.patch	2022-02-02 08:10:27 UTC (rev 435754)
@@ -0,0 +1,142 @@
+From df5f61eb240b9ae1b67faad8f143a488c5c8f206 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller at sudo.ws>
+Date: Tue, 1 Feb 2022 20:08:26 -0700
+Subject: [PATCH] Add sudoers option to perform authentication even in
+ non-interative mode. If noninteractive_auth is set, authentication methods
+ that do not require input from the user's terminal may proceed.  It is off by
+ default, which restores the pre-1.9.9 behavior of "sudo -n".
+
+(cherry picked from commit 85fef8b50f0847f4fce39a7fead9aae767be1dca)
+---
+ docs/sudoers.man.in         | 17 +++++++++++++++++
+ docs/sudoers.mdoc.in        | 16 ++++++++++++++++
+ plugins/sudoers/check.c     |  6 ++++++
+ plugins/sudoers/def_data.c  |  4 ++++
+ plugins/sudoers/def_data.h  |  2 ++
+ plugins/sudoers/def_data.in |  3 +++
+ plugins/sudoers/defaults.c  |  1 +
+ 7 files changed, 49 insertions(+)
+
+diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in
+index 67ca7cec6..f7e53cfe7 100644
+--- a/docs/sudoers.man.in
++++ b/docs/sudoers.man.in
+@@ -3214,6 +3214,23 @@ This flag is
+ \fIoff\fR
+ by default.
+ .TP 18n
++noninteractive_auth
++If set, authentication will be attempted even in non-interactive mode
++(when
++\fBsudo\fR's
++\fB\-n\fR
++option is specified).
++This allows authentication methods that don't require user interaction
++to succeed.
++Authentication methods that require input from the user's terminal
++will still fail.
++If disabled, authentication will not be attempted in non-interactive mode.
++This flag is
++\fIoff\fR
++by default.
++.sp
++This setting is only supported by version 1.9.10 or higher.
++.TP 18n
+ pam_acct_mgmt
+ On systems that use PAM for authentication,
+ \fBsudo\fR
+diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
+index 1b9ea07cf..38b83b9af 100644
+--- a/docs/sudoers.mdoc.in
++++ b/docs/sudoers.mdoc.in
+@@ -3027,6 +3027,22 @@ section at the end of this manual.
+ This flag is
+ .Em off
+ by default.
++.It noninteractive_auth
++If set, authentication will be attempted even in non-interactive mode
++(when
++.Nm sudo Ns 's
++.Fl n
++option is specified).
++This allows authentication methods that don't require user interaction
++to succeed.
++Authentication methods that require input from the user's terminal
++will still fail.
++If disabled, authentication will not be attempted in non-interactive mode.
++This flag is
++.Em off
++by default.
++.Pp
++This setting is only supported by version 1.9.10 or higher.
+ .It pam_acct_mgmt
+ On systems that use PAM for authentication,
+ .Nm sudo
+diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
+index 2ba18d27e..25a2087b0 100644
+--- a/plugins/sudoers/check.c
++++ b/plugins/sudoers/check.c
+@@ -125,6 +125,12 @@ check_user_interactive(int validated, int mode, struct getpass_closure *closure)
+ 	FALLTHROUGH;
+ 
+     default:
++	if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) {
++	    validated |= FLAG_NO_USER_INPUT;
++	    log_auth_failure(validated, 0);
++	    goto done;
++	}
++
+ 	/* XXX - should not lecture if askpass helper is being used. */
+ 	lectured = display_lecture(closure->tstat);
+ 
+diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
+index 0afddace8..2398f3c28 100644
+--- a/plugins/sudoers/def_data.c
++++ b/plugins/sudoers/def_data.c
+@@ -645,6 +645,10 @@ struct sudo_defs_types sudo_defs_table[] = {
+ 	"rlimit_stack", T_RLIMIT|T_BOOL,
+ 	N_("The maximum size to which the process's stack may grow (in bytes): %s"),
+ 	NULL,
++    }, {
++	"noninteractive_auth", T_FLAG,
++	N_("Attempt authentication even when in non-interactive mode"),
++	NULL,
+     }, {
+ 	NULL, 0, NULL
+     }
+diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
+index 25bf3a71d..ae9182921 100644
+--- a/plugins/sudoers/def_data.h
++++ b/plugins/sudoers/def_data.h
+@@ -300,6 +300,8 @@
+ #define def_rlimit_rss          (sudo_defs_table[I_RLIMIT_RSS].sd_un.str)
+ #define I_RLIMIT_STACK          149
+ #define def_rlimit_stack        (sudo_defs_table[I_RLIMIT_STACK].sd_un.str)
++#define I_NONINTERACTIVE_AUTH   150
++#define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag)
+ 
+ enum def_tuple {
+     never,
+diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
+index 8309779f7..03ed95607 100644
+--- a/plugins/sudoers/def_data.in
++++ b/plugins/sudoers/def_data.in
+@@ -466,3 +466,6 @@ rlimit_rss
+ rlimit_stack
+ 	T_RLIMIT|T_BOOL
+ 	"The maximum size to which the process's stack may grow (in bytes): %s"
++noninteractive_auth
++	T_FLAG
++	"Attempt authentication even when in non-interactive mode"
+diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
+index b7979f37e..53c2dc2a9 100644
+--- a/plugins/sudoers/defaults.c
++++ b/plugins/sudoers/defaults.c
+@@ -571,6 +571,7 @@ init_defaults(void)
+     def_log_denied = true;
+     def_log_format = sudo;
+     def_runas_allow_unknown_id = false;
++    def_noninteractive_auth = false;
+ 
+     /* Syslog options need special care since they both strings and ints */
+ #if (LOGGING & SLOG_SYSLOG)

More information about the arch-commits mailing list