[arch-commits] Commit in sudo/repos (6 files)
Evangelos Foutras
foutrelis at gemini.archlinux.org
Wed Feb 2 08:10:34 UTC 2022
Date: Wednesday, February 2, 2022 @ 08:10:34
Author: foutrelis
Revision: 435755
archrelease: copy trunk to testing-x86_64
Added:
sudo/repos/testing-x86_64/
sudo/repos/testing-x86_64/PKGBUILD
(from rev 435754, sudo/trunk/PKGBUILD)
sudo/repos/testing-x86_64/disable-non-interative-auth.patch
(from rev 435754, sudo/trunk/disable-non-interative-auth.patch)
sudo/repos/testing-x86_64/sudo.install
(from rev 435754, sudo/trunk/sudo.install)
sudo/repos/testing-x86_64/sudo.pam
(from rev 435754, sudo/trunk/sudo.pam)
sudo/repos/testing-x86_64/sudo_logsrvd.service
(from rev 435754, sudo/trunk/sudo_logsrvd.service)
-----------------------------------+
PKGBUILD | 81 ++++++++++++++++++++
disable-non-interative-auth.patch | 142 ++++++++++++++++++++++++++++++++++++
sudo.install | 9 ++
sudo.pam | 4 +
sudo_logsrvd.service | 13 +++
5 files changed, 249 insertions(+)
Copied: sudo/repos/testing-x86_64/PKGBUILD (from rev 435754, sudo/trunk/PKGBUILD)
===================================================================
--- testing-x86_64/PKGBUILD (rev 0)
+++ testing-x86_64/PKGBUILD 2022-02-02 08:10:34 UTC (rev 435755)
@@ -0,0 +1,81 @@
+# Maintainer: Evangelos Foutras <evangelos at foutrelis.com>
+# Contributor: Allan McRae <allan at archlinux.org>
+# Contributor: Tom Newsom <Jeepster at gmx.co.uk>
+
+pkgname=sudo
+_sudover=1.9.9
+pkgrel=2
+pkgver=${_sudover/p/.p}
+pkgdesc="Give certain users the ability to run some commands as root"
+arch=('x86_64')
+url="https://www.sudo.ws/sudo/"
+license=('custom')
+groups=('base-devel')
+depends=('glibc' 'openssl' 'pam' 'libldap' 'zlib')
+backup=('etc/pam.d/sudo'
+ 'etc/sudo.conf'
+ 'etc/sudo_logsrvd.conf'
+ 'etc/sudoers')
+install=$pkgname.install
+source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig}
+ sudo_logsrvd.service
+ disable-non-interative-auth.patch
+ sudo.pam)
+sha256sums=('6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00'
+ 'SKIP'
+ '8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1'
+ '094387d71f6866ff85ab1cccbdf685f97c02a803eb01b41c80c52918785db85c'
+ 'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2')
+validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB')
+
+prepare() {
+ cd "$srcdir/$pkgname-$_sudover"
+ patch -Np1 -i ../disable-non-interative-auth.patch
+}
+
+build() {
+ cd "$srcdir/$pkgname-$_sudover"
+
+ ./configure \
+ --prefix=/usr \
+ --sbindir=/usr/bin \
+ --libexecdir=/usr/lib \
+ --with-rundir=/run/sudo \
+ --with-vardir=/var/db/sudo \
+ --with-logfac=auth \
+ --enable-tmpfiles.d \
+ --with-pam \
+ --with-sssd \
+ --with-ldap \
+ --with-ldap-conf-file=/etc/openldap/ldap.conf \
+ --with-env-editor \
+ --with-passprompt="[sudo] password for %p: " \
+ --with-all-insults
+ make
+}
+
+check() {
+ cd "$srcdir/$pkgname-$_sudover"
+ make check
+}
+
+package() {
+ cd "$srcdir/$pkgname-$_sudover"
+ make DESTDIR="$pkgdir" install
+
+ # sudo_logsrvd service file (taken from sudo-logsrvd-1.9.0-1.el8.x86_64.rpm)
+ install -Dm644 -t "$pkgdir/usr/lib/systemd/system" ../sudo_logsrvd.service
+
+ # Remove sudoers.dist; not needed since pacman manages updates to sudoers
+ rm "$pkgdir/etc/sudoers.dist"
+
+ # Remove /run/sudo directory; we create it using systemd-tmpfiles
+ rmdir "$pkgdir/run/sudo"
+ rmdir "$pkgdir/run"
+
+ install -Dm644 "$srcdir/sudo.pam" "$pkgdir/etc/pam.d/sudo"
+
+ install -Dm644 LICENSE.md -t "$pkgdir/usr/share/licenses/sudo"
+}
+
+# vim:set ts=2 sw=2 et:
Copied: sudo/repos/testing-x86_64/disable-non-interative-auth.patch (from rev 435754, sudo/trunk/disable-non-interative-auth.patch)
===================================================================
--- testing-x86_64/disable-non-interative-auth.patch (rev 0)
+++ testing-x86_64/disable-non-interative-auth.patch 2022-02-02 08:10:34 UTC (rev 435755)
@@ -0,0 +1,142 @@
+From df5f61eb240b9ae1b67faad8f143a488c5c8f206 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller at sudo.ws>
+Date: Tue, 1 Feb 2022 20:08:26 -0700
+Subject: [PATCH] Add sudoers option to perform authentication even in
+ non-interative mode. If noninteractive_auth is set, authentication methods
+ that do not require input from the user's terminal may proceed. It is off by
+ default, which restores the pre-1.9.9 behavior of "sudo -n".
+
+(cherry picked from commit 85fef8b50f0847f4fce39a7fead9aae767be1dca)
+---
+ docs/sudoers.man.in | 17 +++++++++++++++++
+ docs/sudoers.mdoc.in | 16 ++++++++++++++++
+ plugins/sudoers/check.c | 6 ++++++
+ plugins/sudoers/def_data.c | 4 ++++
+ plugins/sudoers/def_data.h | 2 ++
+ plugins/sudoers/def_data.in | 3 +++
+ plugins/sudoers/defaults.c | 1 +
+ 7 files changed, 49 insertions(+)
+
+diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in
+index 67ca7cec6..f7e53cfe7 100644
+--- a/docs/sudoers.man.in
++++ b/docs/sudoers.man.in
+@@ -3214,6 +3214,23 @@ This flag is
+ \fIoff\fR
+ by default.
+ .TP 18n
++noninteractive_auth
++If set, authentication will be attempted even in non-interactive mode
++(when
++\fBsudo\fR's
++\fB\-n\fR
++option is specified).
++This allows authentication methods that don't require user interaction
++to succeed.
++Authentication methods that require input from the user's terminal
++will still fail.
++If disabled, authentication will not be attempted in non-interactive mode.
++This flag is
++\fIoff\fR
++by default.
++.sp
++This setting is only supported by version 1.9.10 or higher.
++.TP 18n
+ pam_acct_mgmt
+ On systems that use PAM for authentication,
+ \fBsudo\fR
+diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
+index 1b9ea07cf..38b83b9af 100644
+--- a/docs/sudoers.mdoc.in
++++ b/docs/sudoers.mdoc.in
+@@ -3027,6 +3027,22 @@ section at the end of this manual.
+ This flag is
+ .Em off
+ by default.
++.It noninteractive_auth
++If set, authentication will be attempted even in non-interactive mode
++(when
++.Nm sudo Ns 's
++.Fl n
++option is specified).
++This allows authentication methods that don't require user interaction
++to succeed.
++Authentication methods that require input from the user's terminal
++will still fail.
++If disabled, authentication will not be attempted in non-interactive mode.
++This flag is
++.Em off
++by default.
++.Pp
++This setting is only supported by version 1.9.10 or higher.
+ .It pam_acct_mgmt
+ On systems that use PAM for authentication,
+ .Nm sudo
+diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c
+index 2ba18d27e..25a2087b0 100644
+--- a/plugins/sudoers/check.c
++++ b/plugins/sudoers/check.c
+@@ -125,6 +125,12 @@ check_user_interactive(int validated, int mode, struct getpass_closure *closure)
+ FALLTHROUGH;
+
+ default:
++ if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) {
++ validated |= FLAG_NO_USER_INPUT;
++ log_auth_failure(validated, 0);
++ goto done;
++ }
++
+ /* XXX - should not lecture if askpass helper is being used. */
+ lectured = display_lecture(closure->tstat);
+
+diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c
+index 0afddace8..2398f3c28 100644
+--- a/plugins/sudoers/def_data.c
++++ b/plugins/sudoers/def_data.c
+@@ -645,6 +645,10 @@ struct sudo_defs_types sudo_defs_table[] = {
+ "rlimit_stack", T_RLIMIT|T_BOOL,
+ N_("The maximum size to which the process's stack may grow (in bytes): %s"),
+ NULL,
++ }, {
++ "noninteractive_auth", T_FLAG,
++ N_("Attempt authentication even when in non-interactive mode"),
++ NULL,
+ }, {
+ NULL, 0, NULL
+ }
+diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h
+index 25bf3a71d..ae9182921 100644
+--- a/plugins/sudoers/def_data.h
++++ b/plugins/sudoers/def_data.h
+@@ -300,6 +300,8 @@
+ #define def_rlimit_rss (sudo_defs_table[I_RLIMIT_RSS].sd_un.str)
+ #define I_RLIMIT_STACK 149
+ #define def_rlimit_stack (sudo_defs_table[I_RLIMIT_STACK].sd_un.str)
++#define I_NONINTERACTIVE_AUTH 150
++#define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag)
+
+ enum def_tuple {
+ never,
+diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in
+index 8309779f7..03ed95607 100644
+--- a/plugins/sudoers/def_data.in
++++ b/plugins/sudoers/def_data.in
+@@ -466,3 +466,6 @@ rlimit_rss
+ rlimit_stack
+ T_RLIMIT|T_BOOL
+ "The maximum size to which the process's stack may grow (in bytes): %s"
++noninteractive_auth
++ T_FLAG
++ "Attempt authentication even when in non-interactive mode"
+diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c
+index b7979f37e..53c2dc2a9 100644
+--- a/plugins/sudoers/defaults.c
++++ b/plugins/sudoers/defaults.c
+@@ -571,6 +571,7 @@ init_defaults(void)
+ def_log_denied = true;
+ def_log_format = sudo;
+ def_runas_allow_unknown_id = false;
++ def_noninteractive_auth = false;
+
+ /* Syslog options need special care since they both strings and ints */
+ #if (LOGGING & SLOG_SYSLOG)
Copied: sudo/repos/testing-x86_64/sudo.install (from rev 435754, sudo/trunk/sudo.install)
===================================================================
--- testing-x86_64/sudo.install (rev 0)
+++ testing-x86_64/sudo.install 2022-02-02 08:10:34 UTC (rev 435755)
@@ -0,0 +1,9 @@
+pre_upgrade() {
+ # Permissions of /var/db/sudo were changed from 0700 to 0711 in sudo 1.8.10
+ # http://www.sudo.ws/repos/sudo/rev/5c38d77a2d0c
+ if (($(vercmp $2 1.8.10-1) < 0)); then
+ chmod 0711 var/db/sudo
+ fi
+}
+
+# vim:set ts=2 sw=2 et:
Copied: sudo/repos/testing-x86_64/sudo.pam (from rev 435754, sudo/trunk/sudo.pam)
===================================================================
--- testing-x86_64/sudo.pam (rev 0)
+++ testing-x86_64/sudo.pam 2022-02-02 08:10:34 UTC (rev 435755)
@@ -0,0 +1,4 @@
+#%PAM-1.0
+auth include system-auth
+account include system-auth
+session include system-auth
Copied: sudo/repos/testing-x86_64/sudo_logsrvd.service (from rev 435754, sudo/trunk/sudo_logsrvd.service)
===================================================================
--- testing-x86_64/sudo_logsrvd.service (rev 0)
+++ testing-x86_64/sudo_logsrvd.service 2022-02-02 08:10:34 UTC (rev 435755)
@@ -0,0 +1,13 @@
+[Unit]
+Description=Sudo central log server
+Documentation=man:sudo_logsrvd(8) man:sudo_logsrvd.conf(5)
+Documentation=https://www.sudo.ws/man.html
+After=syslog.target network.target auditd.service
+
+[Service]
+ExecStart=/usr/bin/sudo_logsrvd -n
+KillMode=process
+Type=exec
+
+[Install]
+WantedBy=multi-user.target
More information about the arch-commits
mailing list