./security/sudo, Allow others to run commands as root

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 1.9.7p1, Package name: sudo-1.9.7p1, Maintainer: pkgsrc-users

Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity. The basic philosophy is to
give as few privileges as possible but still allow people to get their
work done.


Required to build:
[pkgtools/cwrappers]

Package options: skey

Master sites: (Expand)

SHA1: a9546f736e2d20aedf7e743f282a695094b0dd44
RMD160: f1d616518c16263916f423ff3ec21f5e042ab0bf
Filesize: 4099.21 KB

Version history: (Expand)


CVS history: (Expand)


   2021-06-13 17:20:52 by Takahiro Kambe | Files touched by this commit (2) | Package updated
Log message:
security/sudo: update to 1.9.7p1

1.9.7p1 (2021-06-11)

What's new in Sudo 1.9.7p1

 * Fixed an SELinux sudoedit bug when the edited temporary file
   could not be opened.  The sesh helper would still be run even
   when there are no temporary files available to install.

 * Fixed a compilation problem on FreeBSD.

 * The sudo_noexec.so file is now built as a module on all systems
   other than macOS.  This makes it possible to use other libtool
   implementations such as slibtool.  On macOS shared libraries and
   modules are not interchangeable and the version of libtool shipped
   with sudo must be used.

 * Fixed a few bugs in the getgrouplist() emulation on Solaris when
   reading from the local group file.

 * Fixed a bug in sudo_logsrvd that prevented periodic relay server
   connection retries from occurring in "store_first" mode.

 * Disabled the nss_search()-based getgrouplist() emulation on HP-UX
   due to a crash when the group source is set to "compat" in
   /etc/nsswitch.conf.  This is probably due to a mismatch between
   include/compat/nss_dbdefs.h and what HP-UX uses internally.  On
   HP-UX we now just cycle through groups the slow way using
   getgrent().  Bug #978.
   2021-06-04 14:21:55 by Greg Troxel | Files touched by this commit (1)
Log message:
security/sudo: Drop MESSAGE (as hints to read docs)
   2021-05-27 07:40:45 by Adam Ciarcinski | Files touched by this commit (4) | Package updated
Log message:
sudo: updated to 1.9.7

What's new in Sudo 1.9.7

 * The "fuzz" Makefile target now runs all the fuzzers for 8192
   passes (can be overridden via the FUZZ_RUNS variable).  This makes
   it easier to run the fuzzers in-tree.  To run a fuzzer indefinitely,
   set FUZZ_RUNS=-1, e.g. "make FUZZ_RUNS=-1 fuzz".

 * Fixed fuzzing on FreeBSD where the ld.lld linker returns an
   error by default when a symbol is multiply-defined.

 * Added support for determining local IPv6 addresses on systems
   that lack the getifaddrs() function.  This now works on AIX,
   HP-UX and Solaris (at least).

 * Fixed a bug introduced in sudo 1.9.6 that caused "sudo -V" to
   report a usage error.  Also, when invoked as sudoedit, sudo now
   allows a more restricted set of options that matches the usage
   statement and documentation.

 * Fixed a crash in sudo_sendlog when the specified certificate
   or key does not exist or is invalid.

 * Fixed a compilation error when sudo is configured with the
   --disable-log-client option.

 * Sudo's limited support for SUCCESS=return entries in nsswitch.conf
   is now documented.

 * Sudo now requires autoconf 2.70 or higher to regenerate the
   configure script.

 * sudo_logsrvd now has a relay mode which can be used to create
   a hierarchy of log servers.  By default, when a relay server is
   defined, messages from the client are forwarded immediately to
   the relay.  However, if the "store_first" setting is enabled,
   the log will be stored locally until the command completes and
   then relayed.

 * Sudo now links with OpenSSL by default if it is available unless
   the --disable-openssl configure option is used or both the
   --disable-log-client and --disable-log-server configure options
   are specified.

 * Fixed configure's Python version detection when the version minor
   number is more than a single digit, for example Python 3.10.

 * The sudo Python module tests now pass for Python 3.10.

 * Sudo will now avoid changing the datasize resource limit
   as long as the existing value is at least 1GB.  This works around
   a problem on 64-bit HP-UX where it is not possible to exactly
   restore the original datasize limit.

 * Fixed a race condition that could result in a hang when sudo is
   executed by a process where the SIGCHLD handler is set to SIG_IGN.

 * Fixed an out-of-bounds read in sudoedit and visudo when the
   EDITOR, VISUAL or SUDO_EDITOR environment variables end in an
   unescaped backslash.  Also fixed the handling of quote characters
   that are escaped by a backslash.

 * Fixed a bug that prevented the "log_server_verify" sudoers option
   from taking effect.

 * The sudo_sendlog utility has a new -s option to cause it to stop
   sending I/O records after a user-specified elapsed time.  This
   can be used to test the I/O log restart functionality of sudo_logsrvd.

 * Fixed a crash introduced in sudo 1.9.4 in sudo_logsrvd when
   attempting to restart an interrupted I/O log transfer.

 * The TLS connection timeout in the sudoers log client was previously
   hard-coded to 10 seconds.  It now uses the value of log_server_timeout.

 * The configure script now outputs a summary of the user-configurable
   options at the end, separate from output of configure script tests.

 * Corrected the description of which groups may be specified via the
   -g option in the Runas_Spec section.
   2021-03-18 09:57:48 by Adam Ciarcinski | Files touched by this commit (5) | Package updated
Log message:
sudo: updated to 1.9.6p1

Major changes between version 1.9.6p1 and 1.9.6:

Fixed a regression introduced in sudo 1.9.6 that resulted in an error message \ 
instead of a usage message when sudo is run with no arguments.

Major changes between version 1.9.6 and 1.9.5p2:

Fixed a sudo_sendlog compilation problem with the AIX xlC compiler.
Fixed a regression introduced in sudo 1.9.4 where the --disable-root-mailer \ 
configure option had no effect.
Added a --disable-leaks configure option that avoids some memory leaks on exit \ 
that would otherwise occur. This is intended to be used with development tools \ 
that measure memory leaks. It is not safe to use in production at this time.
Plugged some memory leaks identified by oss-fuzz and ASAN.
Fixed the handling of sudoOptions for an LDAP sudoRole that contains multiple \ 
sudoCommands. Previously, some of the options would only be applied to the first \ 
sudoCommand.
Fixed a potential out of bounds read in the parsing of NOTBEFORE and NOTAFTER \ 
sudoers command options (and their LDAP equivalents).
The parser used for reading I/O log JSON files is now more resilient when \ 
processing invalid JSON.
Fixed typos that prevented make uninstall from working.
Fixed a regression introduced in sudo 1.9.4 where the last line in a sudoers \ 
file might not have a terminating NUL character added if no newline was present.
Integrated oss-fuzz and LLVM's libFuzzer with sudo. The new --enable-fuzzer \ 
configure option can be combined with the --enable-sanitizer option to build \ 
sudo with fuzzing support. Multiple fuzz targets are available for fuzzing \ 
different parts of sudo. Fuzzers are built and tested via make fuzz or as part \ 
of make check (even when sudo is not built with fuzzing support). Fuzzing \ 
support currently requires the LLVM clang compiler (not gcc).
Fixed the --enable-static-sudoers configure option.
Fixed a potential out of bounds read sudo when is run by a user with more groups \ 
than the value of max_groups in sudo.conf.
Added an admin_flag sudoers option to make the use of the \ 
~/.sudo_as_admin_successful file configurable on systems where sudo is build \ 
with the --enable-admin-flag configure option. This mostly affects Ubuntu and \ 
its derivatives.
The max_groups setting in sudo.conf is now limited to 1024. This setting is \ 
obsolete and should no longer be needed.
Fixed a bug in the tilde expansion of CHROOT=dir and CWD=dir sudoers command \ 
options. A path ~/foo was expanded to /home/userfoo instead of /home/user/foo. \ 
This also affects the runchroot and runcwd Defaults settings.
Fixed a bug on systems without a native getdelim(3) function where very long \ 
lines could cause parsing of the sudoers file to end prematurely.
Fixed a potential integer overflow when converting the timestamp_timeout and \ 
passwd_timeout sudoers settings to a timespec struct.
The default for the group_source setting in sudo.conf is now dynamic on macOS. \ 
Recent versions of macOS do not reliably return all of a user's non-local groups \ 
via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined.
Fixed a potential use-after-free in the PAM conversation function.
Fixed potential redefinition of sys/stat.h macros in sudo_compat.h.
   2021-01-30 12:06:45 by S.P.Zeidler | Files touched by this commit (3)
Log message:
security/sudo: build fix for netbsdelf systems
   2021-01-26 21:18:43 by Jonathan Perkin | Files touched by this commit (2) | Package updated
Log message:
sudo: Update to 1.9.5p2 for CVE-2021-3156.

What's new in Sudo 1.9.5p2

 * Fixed sudo's setprogname(3) emulation on systems that don't
   provide it.

 * Fixed a problem with the sudoers log server client where a partial
   write to the server could result the sudo process consuming large
   amounts of CPU time due to a cycle in the buffer queue. Bug #954.

 * Added a missing dependency on libsudo_util in libsudo_eventlog.
   Fixes a link error when building sudo statically.

 * The user's KRB5CCNAME environment variable is now preserved when
   performing PAM authentication.  This fixes GSSAPI authentication
   when the user has a non-default ccache.

 * When invoked as sudoedit, the same set of command line options
   are now accepted as for "sudo -e".  The -H and -P options are
   now rejected for sudoedit and "sudo -e" which matches the sudo
   1.7 behavior.  This is part of the fix for CVE-2021-3156.

 * Fixed a potential buffer overflow when unescaping backslashes
   in the command's arguments.  Normally, sudo escapes special
   characters when running a command via a shell (sudo -s or sudo
   -i).  However, it was also possible to run sudoedit with the -s
   or -i flags in which case no escaping had actually been done,
   making a buffer overflow possible.  This fixes CVE-2021-3156.
   2021-01-18 15:32:24 by Takahiro Kambe | Files touched by this commit (7) | Package updated
Log message:
security/sudo: update to 1.9.5p1

Update sudo package to 1.9.5p1.  CHanges from 1.8.31p2 are too many to
write here.  Please refer <https://www.sudo.ws/stable.html>.

1.9.5 fixes these security problems:

* Fixed CVE-2021-23239, a potential information leak in sudoedit that
  could be used to test for the existence of directories not normally
  accessible to the user in certain circumstances.  When creating a new
  file, sudoedit checks to make sure the parent directory of the new file
  exists before running the editor.  However, a race condition exists if
  the invoking user can replace (or create) the parent directory. If a
  symbolic link is created in place of the parent directory, sudoedit will
  run the editor as long as the target of the link exists.  If the target
  of the link does not exist, an error message will be displayed.  The
  race condition can be used to test for the existence of an arbitrary
  directory.  However, it cannot be used to write to an arbitrary
  location.

* Fixed CVE-2021-23240, a flaw in the temporary file handling of
  sudoedit's SELinux RBAC support.  On systems where SELinux is enabled, a
  user with sudoedit permissions may be able to set the owner of an
  arbitrary file to the user-ID of the target user.  On Linux kernels that
  support protected symlinks setting /proc/sys/fs/protected_symlinks to 1
  will prevent the bug from being exploited.  For more information, see
  Symbolic link attack in SELinux-enabled sudoedit.

Quote from 1.9.0 features:

* The maximum length of a conversation reply has been increased from 255
  to 1023 characters.  This allows for longer user passwords. Bug #860.

* Sudo now includes a logging daemon, sudo_logsrvd, which can be used to
  implement centralized logging of I/O logs.  TLS connections are
  supported when sudo is configured with the --enable-openssl option.  For
  more information, see the sudo_logsrvd, sudo_logsrvd.conf and
  sudo_logsrv.proto manuals as well as the log_servers setting in the
  sudoers manual.

* The --disable-log-server and --disable-log-client configure options can
  be used to disable building the I/O log server and/or remote I/O log
  support in the sudoers plugin.

* The new sudo_sendlog utility can be used to test sudo_logsrvd or send
  existing sudo I/O logs to a centralized server.

* It is now possible to write sudo plugins in Python 4 when sudo is
  configured with the --enable-python option.  See the sudo_plugin_python
  manual for details.

  Sudo 1.9.0 comes with several Python example plugins that get installed
  sudo's examples directory.

  The sudo blog article What's new in sudo 1.9: Python includes a simple
  tutorial on writing python plugins.

* Sudo now supports an audit plugin type.  An audit plugin receives
  accept, reject, exit and error messages and can be used to implement
  custom logging that is independent of the underlying security policy.
  Multiple audit plugins may be specified in the sudo.conf file.  A sample
  audit plugin is included that writes logs in JSON format.

* Sudo now supports an approval plugin type.  An approval plugin is run
  only after the main security policy (such as sudoers) accepts a command
  to be run.  The approval policy may perform additional checks,
  potentially interacting with the user.  Multiple approval plugins may be
  specified in the sudo.conf file.  Only if all approval plugins succeed
  will the command be allowed.

* Sudo's -S command line option now causes the sudo conversation function
  to write to the standard output or standard error instead of the
  terminal device.
   2020-09-19 16:04:29 by Takahiro Kambe | Files touched by this commit (3) | Package updated
Log message:
security/sudo: update to 1.8.31p2

Update sudo package to 1.8.31p2.

What's new in Sudo 1.8.31p2

 * Sudo command line options that take a value may only be specified
   once.  This is to help guard against problems caused by poorly
   written scripts that invoke sudo with user-controlled input.
   Bug #924.

 * When running a command in a pty, sudo will no longer try to
   suspend itself if the user's tty has been revoked (for instance
   when the parent ssh daemon is killed).  This fixes a bug where
   sudo would continuously suspend the command (which would succeed),
   then suspend itself (which would fail due to the missing tty)
   and then resume the command.

 * If sudo's event loop fails due to the tty being revoked, remove
   the user's tty events and restart the event loop (once).  This
   fixes a problem when running "sudo reboot" in a pty on some
   systems.  When the event loop exited unexpectedly, sudo would
   kill the command running in the pty, which in the case of "reboot",
   could lead to the system being in a half-rebooted state.

 * Fixed a regression introduced in sudo 1.8.23 in the LDAP and
   SSSD back-ends where a missing sudoHost attribute was treated
   as an "ALL" wildcard value.  A sudoRole with no sudoHost attribute
   is now ignored as it was prior to version 1.8.23.