mirror of
https://github.com/vincentmli/bpfire.git
synced 2026-04-10 02:55:55 +02:00
main
11 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Adolf Belka
|
62c2ba58b4 |
sudo: Update to version 1.9.15p2
- Update from version 1.9.14p2 to 1.9.15p2
- Update of rootfile
- Changelog
1.9.15p2
* Fixed a bug on BSD systems where sudo would not restore the
terminal settings on exit if the terminal had parity enabled.
GitHub issue #326.
1.9.15p1
* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
sudoers from being able to read the ldap.conf file.
GitHub issue #325.
1.9.15
* Fixed an undefined symbol problem on older versions of macOS
when "intercept" or "log_subcmds" are enabled in sudoers.
GitHub issue #276.
* Fixed "make check" failure related to getpwent(3) wrapping
on NetBSD.
* Fixed the warning message for "sudo -l command" when the command
is not permitted. There was a missing space between "list" and
the actual command due to changes in sudo 1.9.14.
* Fixed a bug where output could go to the wrong terminal if
"use_pty" is enabled (the default) and the standard input, output
or error is redirected to a different terminal. Bug #1056.
* The visudo utility will no longer create an empty file when the
specified sudoers file does not exist and the user exits the
editor without making any changes. GitHub issue #294.
* The AIX and Solaris sudo packages on www.sudo.ws now support
"log_subcmds" and "intercept" with both 32-bit and 64-bit
binaries. Previously, they only worked when running binaries
with the same word size as the sudo binary. GitHub issue #289.
* The sudoers source is now logged in the JSON event log. This
makes it possible to tell which rule resulted in a match.
* Running "sudo -ll command" now produces verbose output that
includes matching rule as well as the path to the sudoers file
the matching rule came from. For LDAP sudoers, the name of the
matching sudoRole is printed instead.
* The embedded copy of zlib has been updated to version 1.3.
* The sudoers plugin has been modified to make it more resilient
to ROWHAMMER attacks on authentication and policy matching.
This addresses CVE-2023-42465.
* The sudoers plugin now constructs the user time stamp file path
name using the user-ID instead of the user name. This avoids a
potential problem with user names that contain a path separator
('/') being interpreted as part of the path name. A similar
issue in sudo-rs has been assigned CVE-2023-42456.
* A path separator ('/') in a user, group or host name is now
replaced with an underbar character ('_') when expanding escapes
in @include and @includedir directives as well as the "iolog_file"
and "iolog_dir" sudoers Default settings.
* The "intercept_verify" sudoers option is now only applied when
the "intercept" option is set in sudoers. Previously, it was
also applied when "log_subcmds" was enabled. Sudo 1.9.14
contained an incorrect fix for this. Bug #1058.
* Changes to terminal settings are now performed atomically, where
possible. If the command is being run in a pseudo-terminal and
the user's terminal is already in raw mode, sudo will not change
the user's terminal settings. This prevents concurrent sudo
processes from restoring the terminal settings to the wrong values.
GitHub issue #312.
* Reverted a change from sudo 1.9.4 that resulted in PAM session
modules being called with the environment of the command to be
run instead of the environment of the invoking user.
GitHub issue #318.
* New Indonesian translation from translationproject.org.
* The sudo_logsrvd server will now raise its open file descriptor
limit to the maximum allowed value when it starts up. Each
connection can require up to nine open file descriptors so the
default soft limit may be too low.
* Better log message when rejecting a command if the "intercept"
option is enabled and the "intercept_allow_setid" option is
disabled. Previously, "command not allowed" would be logged and
the user had no way of knowing what the actual problem was.
* Sudo will now log the invoking user's environment as "submitenv"
in the JSON logs. The command's environment ("runenv") is no
longer logged for commands rejected by the sudoers file or an
approval plugin.
1.9.14p3
* Fixed a crash with Python 3.12 when the sudo Python plugin is
unloaded. This only affects "make check" for the Python plugin.
* Adapted the sudo Python plugin test output to match Python 3.12.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
|
Adolf Belka
|
88b06e23f1 |
sudo: Update to version 1.9.13p2
- Update from version 1.9.12p2 to 1.9.13p2 - Update of rootfile - Changelog What's new in Sudo 1.9.13p2 * Fixed the --enable-static-sudoers option, broken in sudo 1.9.13. GitHub issue #245. * Fixed a potential double-free bug when matching a sudoers rule that contains a per-command chroot directive (CHROOT=dir). This bug was introduced in sudo 1.9.8. What's new in Sudo 1.9.13p1 * Fixed a typo in the configure script that resulted in a line like "]: command not found" in the output. GitHub issue #238. * Corrected the order of the C23 [[noreturn]] attribute in function prototypes. This fixes a build error with GCC 13. GitHub issue #239. * The "check" make target misbehaved when there was more than one version of the UTF-8 C locale in the output of "locale -a". GitHub issue #241. * Removed a dependency on the AC_SYS_YEAR2038 macro in configure.ac. This was added in autoconf 2.72 but sudo's configure.ac only required autoconf 2.70. * Relaxed the autoconf version requirement to version 2.69. What's new in Sudo 1.9.13 * Fixed a bug running relative commands via sudo when "log_subcmds" is enabled. GitHub issue #194. * Fixed a signal handling bug when running sudo commands in a shell script. Signals were not being forwarded to the command when the sudo process was not run in its own process group. * Fixed a bug in cvtsudoers' LDIF parsing when the file ends without a newline and a backslash is the last character of the file. * Fixed a potential use-after-free bug with cvtsudoers filtering. GitHub issue #198. * Added a reminder to the default lecture that the password will not echo. This line is only displayed when the pwfeedback option is disabled. GitHub issue #195. * Fixed potential memory leaks in error paths. GitHub issues #199, #202. * Fixed potential NULL dereferences on memory allocation failure. GitHub issues #204, #211. * Sudo now uses C23-style attributes in function prototypes instead of gcc-style attributes if supported. * Added a new "list" pseudo-command in sudoers to allow a user to list another user's privileges. Previously, only root or a user with the ability to run any command as either root or the target user on the current host could use the -U option. This also includes a fix to the log entry when a user lacks permission to run "sudo -U otheruser -l command". Previously, the logs would indicate that the user tried to run the actual command, now the log entry includes the list operation. * JSON logging now escapes control characters if they happen to appear in the command or environment. * New Albanian translation from translationproject.org. * Regular expressions in sudoers or logsrvd.conf may no longer contain consecutive repetition operators. This is implementation- specific behavior according to POSIX, but some implementations will allocate excessive amounts of memory. This mainly affects the fuzzers. * Sudo now builds AIX-style shared libraries and dynamic shared objects by default instead of svr4-style. This means that the default sudo plugins are now .a (archive) files that contain a .so shared object file instead of bare .so files. This was done to improve compatibility with the AIX Freeware ecosystem, specifically, the AIX Freeware build of OpenSSL. Sudo will still load svr4-style .so plugins and if a .so file is requested, either via sudo.conf or the sudoers file, and only the .a file is present, sudo will convert the path from plugin.so to plugin.a(plugin.so) when loading it. This ensures compatibility with existing configurations. To restore the old, pre-1.9.13 behavior, run configure using the --with-aix-soname=svr4 option. * Sudo no longer checks the ownership and mode of the plugins that it loads. Plugins are configured via either the sudo.conf or sudoers file which are trusted configuration files. These checks suffered from time-of-check vs. time-of-use race conditions and complicate loading plugins that are not simple paths. Ownership and mode checks are still performed when loading the sudo.conf and sudoers files, which do not suffer from race conditions. The sudo.conf "developer_mode" setting is no longer used. * Control characters in sudo log messages and "sudoreplay -l" output are now escaped in octal format. Space characters in the command path are also escaped. Command line arguments that contain spaces are surrounded by single quotes and any literal single quote or backslash characters are escaped with a backslash. This makes it possible to distinguish multiple command line arguments from a single argument that contains spaces. * Improved support for DragonFly BSD which uses a different struct procinfo than either FreeBSD or 4.4BSD. * Fixed a compilation error on Linux arm systems running older kernels that may not define EM_ARM in linux/elf-em.h. GitHub issue #232. * Fixed a compilation error when LDFLAGS contains -Wl,--no-undefined. Sudo will now link using -Wl,--no-undefined by default if possible. GitHub issue #234. * Fixed a bug executing a command with a very long argument vector when "log_subcmds" or "intercept" is enabled on a system where "intercept_type" is set to "trace". GitHub issue #194. * When sudo is configured to run a command in a pseudo-terminal but the standard input is not connected to a terminal, the command will now be run as a background process. This works around a problem running sudo commands in the background from a shell script where changing the terminal to raw mode could interfere with the interactive shell that ran the script. GitHub issue #237. * A missing include file in sudoers is no longer a fatal error unless the error_recovery plugin argument has been set to false. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> |
||
|
Adolf Belka
|
24109ebef7 |
sudo: Update to version 1.9.12p1
- Update from version 1.9.11p3 to 1.9.12p1
- Update of rootfile
- Changelog
What's new in Sudo 1.9.12p1
* Sudo's configure script now does a better job of detecting when
the -fstack-clash-protection compiler option does not work.
GitHub issue #191.
* Fixed CVE-2022-43995, a potential out-of-bounds write for passwords
smaller than 8 characters when passwd authentication is enabled.
This does not affect configurations that use other authentication
methods such as PAM, AIX authentication or BSD authentication.
* Fixed a build error with some configurations compiling host_port.c.
What's new in Sudo 1.9.12
* Fixed a bug in the ptrace-based intercept mode where the current
working directory could include garbage at the end.
* Fixed a compilation error on systems that lack the stdint.h
header. Bug #1035
* Fixed a bug when logging the command's exit status in intercept
mode. The wrong command could be logged with the exit status.
* For ptrace-based intercept mode, sudo will now attempt to
verify that the command path name, arguments and environment
have not changed from the time when they were authorized by the
security policy. The new "intercept_verify" sudoers setting can
be used to control this behavior.
* Fixed running commands with a relative path (e.g. ./foo) in
intercept mode. Previously, this would fail if sudo's current
working directory was different from that of the command.
* Sudo now supports passing the execve(2) system call the NULL
pointer for the `argv` and/or `envp` arguments when in intercept
mode. Linux treats a NULL pointer like an empty array.
* The sudoers LDAP schema now allows sudoUser, sudoRunasUser and
sudoRunasGroup to include UTF-8 characters, not just 7-bit ASCII.
* Fixed a problem with "sudo -i" on SELinux when the target user's
home directory is not searchable by sudo. GitHub issue #160.
* Neovim has been added to the list of visudo editors that support
passing the line number on the command line.
* Fixed a bug in sudo's SHA384 and SHA512 message digest padding.
* Added a new "-N" (--no-update) command line option to sudo which
can be used to prevent sudo from updating the user's cached
credentials. It is now possible to determine whether or not a
user's cached credentials are currently valid by running:
$ sudo -Nnv
and checking the exit value. One use case for this is to indicate
in a shell prompt that sudo is "active" for the user.
* PAM approval modules are no longer invoked when running sub-commands
in intercept mode unless the "intercept_authenticate" option is set.
There is a substantial performance penalty for calling into PAM
for each command run. PAM approval modules are still called for
the initial command.
* Intercept mode on Linux now uses process_vm_readv(2) and
process_vm_writev(2) if available.
* The XDG_CURRENT_DESKTOP environment variable is now preserved
by default. This makes it possible for graphical applications
to choose the correct theme when run via sudo.
* On 64-bit systems, if sudo fails to load a sudoers group plugin,
it will use system-specific heuristics to try to locate a 64-bit
version of the plugin.
* The cvtsudoers manual now documents the JSON and CSV output
formats. GitHub issue #172.
* Fixed a bug where sub-commands were not being logged to a remote
log server when log_subcmds was enabled. GitHub issue #174.
* The new log_stdin, log_stdout, log_stderr, log_ttyin, and log_ttyout
sudoers settings can be used to support more fine-grained I/O logging.
The sudo front-end no longer allocates a pseudo-terminal when running
a command if the I/O logging plugin requests logging of stdin, stdout,
or stderr but not terminal input/output.
* Quieted a libgcrypt run-time initialization warning.
This fixes Debian bug #1019428 and Ubuntu bug #1397663.
* Fixed a bug in visudo that caused literal backslashes to be removed
from the EDITOR environment variable. GitHub issue #179.
* The sudo Python plugin now implements the "find_spec" method instead
of the the deprecated "find_module". This fixes a test failure when
a newer version of setuptools that doesn't include "find_module" is
found on the system.
* Fixed a bug introduced in sudo 1.9.9 where sudo_logsrvd created
the process ID file, usually /var/run/sudo/sudo_logsrvd.pid, as
a directory instead of a plain file. The same bug could result
in I/O log directories that end in six or more X's being created
literally in addition to the name being used as a template for
the mkdtemp(3) function.
* Fixed a long-standing bug where a sudoers rule with a command
line argument of "", which indicates the command may be run with
no arguments, would also match a literal "" on the command line.
GitHub issue #182.
* Added the -I option to visudo which only edits the main sudoers
file. Include files are not edited unless a syntax error is found.
* Fixed "sudo -l -U otheruser" output when the runas list is empty.
Previously, sudo would list the invoking user instead of the
list user. GitHub issue #183.
* Fixed the display of command tags and options in "sudo -l" output
when the RunAs user or group changes. A new line is started for
RunAs changes which means we need to display the command tags
and options again. GitHub issue #184.
* The sesh helper program now uses getopt_long(3) to parse the
command line options.
* The embedded copy of zlib has been updated to version 1.2.13.
* Fixed a bug that prevented event log data from being sent to the
log server when I/O logging was not enabled. This only affected
systems without PAM or configurations where the pam_session and
pam_setcred options were disabled in the sudoers file.
* Fixed a bug where "sudo -l" output included a carriage return
after the newline. This is only needed when displaying to a
terminal in raw mode. Bug #1042.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
|
||
|
Adolf Belka
|
2296698ec4 |
sudo: Update to version 1.9.11p3
- Update from version 1.9.10 to 1.9.11p3
- Update of rootfile required
- Changelog
What's new in Sudo 1.9.11p3
* Fixed "connection reset" errors on AIX when running shell scripts
with the "intercept" or "log_subcmds" sudoers options enabled.
Bug #1034.
* Fixed very slow execution of shell scripts when the "intercept"
or "log_subcmds" sudoers options are set on systems that enable
Nagle's algorithm on the loopback device, such as AIX.
Bug #1034.
What's new in Sudo 1.9.11p2
* Fixed a compilation error on Linux/x86_64 with the x32 ABI.
* Fixed a regression introduced in 1.9.11p1 that caused a warning
when logging to sudo_logsrvd if the command returned no output.
What's new in Sudo 1.9.11p1
* Correctly handle EAGAIN in the I/O read/right events. This fixes
a hang seen on some systems when piping a large amount of data
through sudo, such as via rsync. Bug #963.
* Changes to avoid implementation or unspecified behavior when
bit shifting signed values in the protobuf library.
* Fixed a compilation error on Linux/aarch64.
* Fixed the configure check for seccomp(2) support on Linux.
* Corrected the EBNF specification for tags in the sudoers manual
page. GitHub issue #153.
What's new in Sudo 1.9.11
* Fixed a crash in the Python module with Python 3.9.10 on some
systems. Additionally, "make check" now passes for Python 3.9.10.
* Error messages sent via email now include more details, including
the file name and the line number and column of the error.
Multiple errors are sent in a single message. Previously, only
the first error was included.
* Fixed logging of parse errors in JSON format. Previously,
the JSON logger would not write entries unless the command and
runuser were set. These may not be known at the time a parse
error is encountered.
* Fixed a potential crash parsing sudoers lines larger than twice
the value of LINE_MAX on systems that lack the getdelim() function.
* The tests run by "make check" now unset the LANGUAGE environment
variable. Otherwise, localization strings will not match if
LANGUAGE is set to a non-English locale. Bug #1025.
* The "starttime" test now passed when run under Debian faketime.
Bug #1026.
* The Kerberos authentication module now honors the custom password
prompt if one has been specified.
* The embedded copy of zlib has been updated to version 1.2.12.
* Updated the version of libtool used by sudo to version 2.4.7.
* Sudo now defines _TIME_BITS to 64 on systems that define __TIMESIZE
in the header files (currently only GNU libc). This is required
to allow the use of 64-bit time values on some 32-bit systems.
* Sudo's "intercept" and "log_subcmds" options no longer force the
command to run in its own pseudo-terminal. It is now also
possible to intercept the system(3) function.
* Fixed a bug in sudo_logsrvd when run in store-first relay mode
where the commit point messages sent by the server were incorrect
if the command was suspended or received a window size change
event.
* Fixed a potential crash in sudo_logsrvd when the "tls_dhparams"
configuration setting was used.
* The "intercept" and "log_subcmds" functionality can now use
ptrace(2) on Linux systems that support seccomp(2) filtering.
This has the advantage of working for both static and dynamic
binaries and can work with sudo's SELinux RBAC mode. The following
architectures are currently supported: i386, x86_64, aarch64,
arm, mips (log_subcmds only), powerpc, riscv, and s390x. The
default is to use ptrace(2) where possible; the new "intercept_type"
sudoers setting can be used to explicitly set the type.
* New Georgian translation from translationproject.org.
* Fixed creating packages on CentOS Stream.
* Fixed a bug in the intercept and log_subcmds support where
the execve(2) wrapper was using the current environment instead
of the passed environment pointer. Bug #1030.
* Added AppArmor integration for Linux. A sudoers rule can now
specify an APPARMOR_PROFILE option to run a command confined by
the named AppArmor profile.
* Fixed parsing of the "server_log" setting in sudo_logsrvd.conf.
Non-paths were being treated as paths and an actual path was
treated as an error.
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
Reviewed-by: Peter Müller <peter.mueller@ipfire.org>
|
||
|
Adolf Belka
|
e78c7a81e4 |
sudo: Update to version 1.9.9
- Update from 1.9.8p2 to 1.9.9 - Update of rootfile - Changelog What's new in Sudo 1.9.9 * Sudo can now be built with OpenSSL 3.0 without generating warnings about deprecated OpenSSL APIs. * A digest can now be specified along with the "ALL" command in the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for this in the sudoers file but did not include corresponding changes for the other back-ends. * visudo now only warns about an undefined alias or a cycle in an alias once for each alias. * The sudoRole cn was truncated by a single character in warning messages. GitHub issue #115. * The cvtsudoers utility has new --group-file and --passwd-file options to use a custom passwd or group file when the --match-local option is also used. * The cvtsudoers utility can now filter or match based on a command. * The cvtsudoers utility can now produce output in csv (comma-separated value) format. This can be used to help generate entitlement reports. * Fixed a bug in sudo_logsrvd that could result in the connection being dropped for very long command lines. * Fixed a bug where sudo_logsrvd would not accept a restore point of zero. * Fixed a bug in visudo where the value of the "editor" setting was not used if it did not match the user's EDITOR environment variable. This was only a problem if the "env_editor" setting was not enabled. Bug #1000. * Sudo now builds with the -fcf-protection compiler option and the "-z now" linker option if supported. * The output of "sudoreplay -l" now more closely matches the traditional sudo log format. * The sudo_sendlog utility will now use the full contents of the log.json file, if present. This makes it possible to send sudo-format I/O logs that use the newer log.json format to sudo_logsrvd without losing any information. * Fixed compilation of the arc4random_buf() replacement on systems with arc4random() but no arc4random_buf(). Bug #1008. * Sudo now uses its own getentropy() by default on Linux. The GNU libc version of getentropy() will fail on older kernels that don't support the getrandom() system call. * It is now possible to build sudo with WolfSSL's OpenSSL compatibility layer by using the --enable-wolfssl configure option. * Fixed a bug related to Daylight Saving Time when parsing timestamps in Generalized Time format. This affected the NOTBEFORE and NOTAFTER options in sudoers. Bug #1006 * Added the -O and -P options to visudo, which can be used to check or set the owner and permissions. This can be used in conjunction with the -c option to check that the sudoers file ownership and permissions are correct. Bug #1007. * It is now possible to set resource limits in the sudoers file itself. The special values "default" and "user" refer to the default system limit and invoking user limit respectively. The core dump size limit is now set to 0 by default unless overridden by the sudoers file. * The cvtsudoers utility can now merge multiple sudoers sources into a single, combined sudoers file. If there are conflicting entries, cvtsudoers will attempt to resolve them but manual intervention may be required. The merging of sudoers rules is currently fairly simplistic but will be improved in a future release. * Sudo was parsing but not applying the "deref" and "tls_reqcert" ldap.conf settings. This meant the options were effectively ignored which broke dereferencing of aliases in LDAP. Bug #1013. * Clarified in the sudo man page that the security policy may override the user's PATH environment variable. Bug #1014. * When sudo is run in non-interactive mode (with the -n option), it will now attempt PAM authentication and only exit with an error if user interaction is required. This allows PAM modules that don't interact with the user to succeed. Previously, sudo would not attempt authentication if the -n option was specified. Bug #956 and GitHub issue #83. * Fixed a regression introduced in version 1.9.1 when sudo is built with the --with-fqdn configure option. The local host name was being resolved before the sudoers file was processed, making it impossible to disable DNS lookups by negating the "fqdn" sudoers option. Bug #1016. * Added support for negated sudoUser attributes in the LDAP and SSSD sudoers back ends. A matching sudoUser that is negated will cause the sudoRole containing it to be ignored. * Fixed a bug where the stack resource limit could be set to a value smaller than that of the invoking user and not be reset before the command was run. Bug #1017. Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> |
||
|
Adolf Belka
|
15bf66e56f |
sudo: Update to version 1.9.8p2
- v2 version is to extend from 1.9.8p1 to 1.9.8p2
- Update from 1.9.7p2 to 1.9.8p2
- Update rootfile
- Changelog
What's new in Sudo 1.9.8p2
* Fixed a potential out-of-bounds read with "sudo -i" when the
target user's shell is bash. This is a regression introduced
in sudo 1.9.8. Bug #998.
* sudo_logsrvd now only sends a log ID for first command of a session.
There is no need to send the log ID for each sub-command.
* Fixed a few minor memory leaks in intercept mode.
* Fixed a problem with sudo_logsrvd in relay mode if "store_first"
was enabled when handling sub-commands. A new zero-length journal
file was created for each sub-command instead of simply using
the existing journal file.
What's new in Sudo 1.9.8p1
* Fixed support for passing a prompt (sudo -p) or a login class
(sudo -l) on the command line. This is a regression introduced
in sudo 1.9.8. Bug #993.
* Fixed a crash with "sudo ALL" rules in the LDAP and SSSD back-ends.
This is a regression introduced in sudo 1.9.8. Bug #994.
* Fixed a compilation error when the --enable-static-sudoers configure
option was specified. This is a regression introduced in sudo
1.9.8 caused by a symbol clash with the intercept and log server
protobuf functions.
What's new in Sudo 1.9.8
* It is now possible to transparently intercepting sub-commands
executed by the original command run via sudo. Intercept support
is implemented using LD_PRELOAD (or the equivalent supported by
the system) and so has some limitations. The two main limitations
are that only dynamic executables are supported and only the
execl, execle, execlp, execv, execve, execvp, and execvpe library
functions are currently intercepted. Its main use case is to
support restricting privileged shells run via sudo.
To support this, there is a new "intercept" Defaults setting and
an INTERCEPT command tag that can be used in sudoers. For example:
Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
Defaults!SHELLS intercept
would cause sudo to run the listed shells in intercept mode.
This can also be set on a per-rule basis. For example:
Cmnd_Alias SHELLS=/bin/bash, /bin/sh, /bin/csh, /bin/ksh, /bin/zsh
chuck ALL = INTERCEPT: SHELLS
would only apply intercept mode to user "chuck" when running one
of the listed shells.
In intercept mode, sudo will not prompt for a password before
running a sub-command and will not allow a set-user-ID or
set-group-ID program to be run by default. The new
intercept_authenticate and intercept_allow_setid sudoers settings
can be used to change this behavior.
* The new "log_subcmds" sudoers setting can be used to log additional
commands run in a privileged shell. It uses the same mechanism as
the intercept support described above and has the same limitations.
* The new "log_exit_status" sudoers setting can be used to log
the exit status commands run via sudo. This is also a corresponding
"log_exit" setting in the sudo_logsrvd.conf eventlog stanza.
* Support for logging sudo_logsrvd errors via syslog or to a file.
Previously, most sudo_logsrvd errors were only visible in the
debug log.
* Better diagnostics when there is a TLS certificate validation error.
* Using the "+=" or "-=" operators in a Defaults setting that takes
a string, not a list, now produces a warning from sudo and a
syntax error from inside visudo.
* Fixed a bug where the "iolog_mode" setting in sudoers and sudo_logsrvd
had no effect when creating I/O log parent directories if the I/O log
file name ended with the string "XXXXXX".
* Fixed a bug in the sudoers custom prompt code where the size
parameter that was passed to the strlcpy() function was incorrect.
No overflow was possible since the correct amount of memory was
already pre-allocated.
* The mksigname and mksiglist helper programs are now built with
the host compiler, not the target compiler, when cross-compiling.
Bug #989.
* Fixed compilation error when the --enable-static-sudoers configure
option was specified. This was due to a typo introduced in sudo
1.9.7. GitHub PR #113.
For more details of the changes then view the ChangeLog file in the source tarball
or at https://www.sudo.ws/changes.html
Signed-off-by: Adolf Belka <adolf.belka@ipfire.org>
|
||
|
Adolf Belka
|
161613165a |
sudo: Upgrade to 1.9.5p1
- Upgrade sudo from 1.8.10p3 to 1.9.5p1 - Move sudo from legacy release (1.8) branch to stable release (1.9) branch - Update rootfile - Changelog available at https://www.sudo.ws/changes.html - Tested out on vm testbed and sudo is working correctly Signed-off-by: Adolf Belka <adolf.belka@ipfire.org> Reviewed-by: Peter Müller <peter.mueller@ipfire.org> Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
Michael Tremer
|
7471256910 |
Rootfile update
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
fb26aed3c2 |
Rootfile update for sudo
Signed-off-by: Michael Tremer <michael.tremer@ipfire.org> |
||
|
Michael Tremer
|
d5e94f72f6 | sudo: Update to 1.8.10p1. | ||
ms
|
de297ec3fb |
Einige (hoffentlich die letzten) Rootfiles hinzugefuegt...
git-svn-id: http://svn.ipfire.org/svn/ipfire/trunk@395 ea5c0bd1-69bd-2848-81d8-4f18e57aeed8 |