safe_cmnd.
Sudo 1.6.8p9 released.
+
+567) Added PS4 and SHELLOPTS to the list of variables to remove from
+ the environment.
+
+Sudo 1.6.8p10 released.
+
+567) Added JAVA_TOOL_OPTIONS to the list of variables to remove from
+ the environment.
+
+Sudo 1.6.8p11 released.
+
+567) Added PERLLIB, PERL5LIB and PERL5OPT to the list of variables to
+ remove from the environment.
+
+Sudo 1.6.8p12 released.
LIBOBJS = @LIBOBJS@ @ALLOCA@
-VERSION = 1.6.8p9
+VERSION = 1.6.8p12
DISTFILES = $(SRCS) $(HDRS) BUGS CHANGES HISTORY INSTALL INSTALL.configure \
LICENSE Makefile.in PORTING README README.LDAP RUNSON TODO \
+sudo (1.6.8p12-1) unstable; urgency=low
+
+ * new upstream version, closes: #342948 (CVE-2005-4158)
+ * add env_reset to the sudoers file we create if none already exists,
+ as a further precaution in response to discussion about CVS-2005-4158
+ * split ldap support into a new sudo-ldap package. I was trying to avoid
+ doing this, but the impact of going from 4 to 17 linked shlibs on the
+ autobuilder chroots is sufficient motivation for me.
+ closes: #344034
+
+ -- Bdale Garbee <bdale@gag.com> Wed, 28 Dec 2005 13:49:10 -0700
+
sudo (1.6.8p9-4) unstable; urgency=low
* enable ldap support, deliver README.LDAP and sudoers2ldif, closes: #283231
Package: sudo
Architecture: any
Depends: ${shlibs:Depends}, libpam-modules
+Conflicts: sudo-ldap
+Replaces: sudo-ldap
Description: Provide limited super user privileges to specific users
Sudo is a program designed to allow a sysadmin to give limited root
privileges to users and log root activity. The basic philosophy is to give
as few privileges as possible but still allow people to get their work done.
+ .
+ This version is built with minimal shared library dependencies, use the
+ sudo-ldap package instead if you need LDAP support.
+Package: sudo-ldap
+Architecture: any
+Depends: ${shlibs:Depends}, libpam-modules
+Conflicts: sudo
+Replaces: sudo
+Provides: sudo
+Description: Provide limited super user privileges to specific users
+ Sudo is a program designed to allow a sysadmin to give limited root
+ privileges to users and log root activity. The basic philosophy is to give
+ as few privileges as possible but still allow people to get their work done.
+ .
+ This version is built with LDAP support.
TODO
HISTORY
README
-README.LDAP
TROUBLESHOOTING
-sudoers2ldif
"# This file MUST be edited with the 'visudo' command as root.\n",
"#\n",
"# See the man page for details on how to write a sudoers file.\n",
- "#\n\n# Host alias specification\n\n",
+ "#\n\nDefaults\tenv_reset\n\n",
+ "# Host alias specification\n\n",
"# User alias specification\n\n",
"# Cmnd alias specification\n\n",
"# User privilege specification\nroot\tALL=(ALL) ALL\n";
#!/usr/bin/make -f
export DH_VERBOSE=1
-export DH_COMPAT=4
CFLAGS = -O2 -Wall -Wno-comment
ifneq (,$(findstring debug,$(DEB_BUILD_OPTIONS)))
endif
export CFLAGS
-build: build-stamp
-build-stamp:
+build: config-stamp
+config-stamp:
dh_testdir
- ./configure --prefix=/usr -v \
+ # simple version
+ mkdir -p build-simple
+ cd build-simple && ../configure --prefix=/usr -v \
+ --with-all-insults \
+ --with-exempt=sudo --with-pam --with-fqdn \
+ --with-logging=syslog --with-logfac=authpriv \
+ --with-env-editor --with-editor=/usr/bin/editor \
+ --with-timeout=15 --with-password-timeout=0 \
+ --disable-root-mailer --disable-setresuid \
+ --with-sendmail=/usr/sbin/sendmail \
+ --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin"
+
+ # LDAP version
+ mkdir -p build-ldap
+ cd build-ldap && ../configure --prefix=/usr -v \
--with-all-insults \
--with-exempt=sudo --with-pam --with-ldap --with-fqdn \
--with-logging=syslog --with-logfac=authpriv \
--with-timeout=15 --with-password-timeout=0 \
--disable-root-mailer --disable-setresuid \
--with-sendmail=/usr/sbin/sendmail \
+ --with-ldap-conf-file=/etc/ldap/ldap.conf \
--with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin"
- -$(MAKE)
+ touch config-stamp
+
+build: build-stamp
+build-stamp: config-stamp
+ dh_testdir
+
+ -$(MAKE) -C build-simple
+ -$(MAKE) -C build-ldap
touch build-stamp
clean:
dh_testdir
dh_testroot
- rm -f build-stamp
-
- -$(MAKE) distclean || exit 0
+ rm -f config-stamp build-stamp
+ rm -rf build-simple build-ldap
+ rm -f config.cache
-test -r /usr/share/misc/config.sub && \
cp -f /usr/share/misc/config.sub config.sub
dh_clean
-install: build
+install: build-stamp
dh_testdir
dh_testroot
dh_clean -k
dh_installdirs
- install -o root -g root -m 4755 -s sudo debian/sudo/usr/bin/sudo
+ # simple version
+ install -o root -g root -m 4755 -s build-simple/sudo debian/sudo/usr/bin/sudo
ln -sf sudo debian/sudo/usr/bin/sudoedit
- install -o root -g root -m 0755 -s visudo debian/sudo/usr/sbin/visudo
- install -o root -g root -m 0644 sudo.man \
+ install -o root -g root -m 0755 -s build-simple/visudo \
+ debian/sudo/usr/sbin/visudo
+ install -o root -g root -m 0644 build-simple/sudo.man \
debian/sudo/usr/share/man/man8/sudo.8
ln -sf sudo.8 debian/sudo/usr/share/man/man8/sudoedit.8
- install -o root -g root -m 0644 visudo.man \
+ install -o root -g root -m 0644 build-simple/visudo.man \
debian/sudo/usr/share/man/man8/visudo.8
- install -o root -g root -m 0644 sudoers.man \
+ install -o root -g root -m 0644 build-simple/sudoers.man \
debian/sudo/usr/share/man/man5/sudoers.5
install -o root -g root -m 0644 sample.sudoers \
debian/sudo/usr/share/doc/sudo/examples/sudoers
install -o root -g root -m 0644 debian/sudo.lintian \
debian/sudo/usr/share/lintian/overrides/sudo
+ # LDAP version
+ install -o root -g root -m 4755 -s build-ldap/sudo debian/sudo-ldap/usr/bin/sudo
+ ln -sf sudo debian/sudo-ldap/usr/bin/sudoedit
+ install -o root -g root -m 0755 -s build-ldap/visudo debian/sudo-ldap/usr/sbin/visudo
+ install -o root -g root -m 0644 build-ldap/sudo.man \
+ debian/sudo-ldap/usr/share/man/man8/sudo.8
+ ln -sf sudo.8 debian/sudo-ldap/usr/share/man/man8/sudoedit.8
+ install -o root -g root -m 0644 build-ldap/visudo.man \
+ debian/sudo-ldap/usr/share/man/man8/visudo.8
+ install -o root -g root -m 0644 build-ldap/sudoers.man \
+ debian/sudo-ldap/usr/share/man/man5/sudoers.5
+ install -o root -g root -m 0644 sample.sudoers \
+ debian/sudo-ldap/usr/share/doc/sudo-ldap/examples/sudoers
+ install -o root -g root -m 0644 debian/sudo.pam \
+ debian/sudo-ldap/etc/pam.d/sudo
+
+ install -o root -g root -m 0644 debian/sudo-ldap.lintian \
+ debian/sudo-ldap/usr/share/lintian/overrides/sudo-ldap
+
binary-indep: build install
binary-arch: build install
dh_testdir
dh_testroot
dh_installdocs
- dh_installexamples
- dh_installmenu
- dh_installinit
- dh_installcron
+ dh_installexamples -A
+ dh_installinit -psudo -psudo-ldap
dh_installmanpages fnmatch.3
- dh_installinfo
+ dh_installinfo -A
dh_installchangelogs CHANGES
- dh_link
dh_strip
dh_compress
dh_fixperms
- chown root.root debian/sudo/usr/bin/sudo
- chmod 4755 debian/sudo/usr/bin/sudo
+ chown root.root debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo
+ chmod 4755 debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo
dh_installdeb
dh_shlibdeps
dh_gencontrol
--- /dev/null
+etc/pam.d
+usr/bin
+usr/share/man/man8
+usr/share/man/man5
+usr/sbin
+usr/share/doc/sudo-ldap/examples
+usr/share/lintian/overrides
--- /dev/null
+debian/OPTIONS
+BUGS
+RUNSON
+UPGRADE
+PORTING
+TODO
+HISTORY
+README
+README.LDAP
+TROUBLESHOOTING
+sudoers2ldif
--- /dev/null
+#! /bin/sh
+
+### BEGIN INIT INFO
+# Provides: sudu
+# Required-Start: $local_fs $remote_fs
+# Required-Stop:
+# Default-Start: S 1 2 3 4 5
+# Default-Stop: 0 6
+### END INIT INFO
+
+N=/etc/init.d/sudo
+
+set -e
+
+case "$1" in
+ start)
+ # make sure privileges don't persist across reboots
+ if [ -d /var/run/sudo ]
+ then
+ find /var/run/sudo -type f -exec touch -t 198501010000 '{}' \;
+ fi
+ ;;
+ stop|reload|restart|force-reload)
+ ;;
+ *)
+ echo "Usage: $N {start|stop|restart|force-reload}" >&2
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+sudo-ldap: setuid-binary usr/bin/sudo 4755 root/root
+sudo-ldap: postrm-contains-additional-updaterc.d-calls /etc/init.d/sudo-ldap
+sudo-ldap: script-in-etc-init.d-not-registered-via-update-rc.d /etc/init.d/sudo-ldap
--- /dev/null
+#!/usr/bin/perl
+
+# remove old link
+
+unlink ("/etc/alternatives/sudo") if ( -l "/etc/alternatives/sudo");
+
+# make sure we have a sudoers file
+if ( ! -f "/etc/sudoers") {
+
+ print "No /etc/sudoers found... creating one for you.\n";
+
+ open (SUDOERS, "> /etc/sudoers");
+ print SUDOERS "# /etc/sudoers\n",
+ "#\n",
+ "# This file MUST be edited with the 'visudo' command as root.\n",
+ "#\n",
+ "# See the man page for details on how to write a sudoers file.\n",
+ "#\n\nDefaults\tenv_reset\n\n",
+ "# Host alias specification\n\n",
+ "# User alias specification\n\n",
+ "# Cmnd alias specification\n\n",
+ "# User privilege specification\nroot\tALL=(ALL) ALL\n";
+ close SUDOERS;
+
+}
+
+# make sure sudoers has the correct permissions and owner/group
+system ('chown root:root /etc/sudoers');
+system ('chmod 440 /etc/sudoers');
+
+# must do a remove first to un-do the "bad" links created by previous version
+system ('update-rc.d -f sudo remove >/dev/null 2>&1');
+
+system ('update-rc.d sudo start 75 S . >/dev/null');
+
+# make sure we have a sudo group
+
+exit 0 if getgrnam("sudo"); # we're finished if there is a group sudo
+
+$gid = 27; # start searcg with gid 27
+setgrent;
+while (getgrgid($gid)) {
+ ++$gid;
+}
+endgrent;
+
+if ($gid != 27) {
+ print "On Debian we normally use gid 27 for 'sudo'.\n";
+ $gname = getgrgid(27);
+ print "However, on your system gid 27 is group '$gname'.\n\n";
+ print "Would you like me to stop configuring sudo so that you can change this? [n] ";
+ $ans = <STDIN>;
+ if ($ans =~ m/^[yY].*/) {
+ print "'dpkg --pending --configure' will restart the configuration.\n\n\n";
+ exit 1;
+ }
+}
+
+print "Creating group 'sudo' with gid = $gid\n";
+system("groupadd -g $gid sudo");
+
+print "";
--- /dev/null
+#! /bin/sh
+
+set -e
+
+case "$1" in
+ purge)
+ rm -f /etc/sudoers
+ ;;
+
+ remove|upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+ ;;
+
+ *)
+ echo "postrm called with unknown argument \`$1'" >&2
+ exit 1
+
+esac
+
+#DEBHELPER#
+
+exit 0
"TERMCAP", /* XXX - only if it starts with '/' */
"ENV",
"BASH_ENV",
+ "PS4",
+ "SHELLOPTS",
+ "JAVA_TOOL_OPTIONS",
+ "PERLLIB",
+ "PERL5LIB",
+ "PERL5OPT",
NULL
};
-1.6.8p9 June, 20 2005 1
+1.6.8p12 June, 20 2005 1
-1.6.8p9 June, 20 2005 2
+1.6.8p12 June, 20 2005 2
-1.6.8p9 June, 20 2005 3
+1.6.8p12 June, 20 2005 3
-1.6.8p9 June, 20 2005 4
+1.6.8p12 June, 20 2005 4
-1.6.8p9 June, 20 2005 5
+1.6.8p12 June, 20 2005 5
-1.6.8p9 June, 20 2005 6
+1.6.8p12 June, 20 2005 6
-1.6.8p9 June, 20 2005 7
+1.6.8p12 June, 20 2005 7
-1.6.8p9 June, 20 2005 8
+1.6.8p12 June, 20 2005 8
-1.6.8p9 June, 20 2005 9
+1.6.8p12 June, 20 2005 9
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "June 20, 2005" "1.6.8p9" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "June 20, 2005" "1.6.8p12" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
-1.6.8p9 June, 20 2005 1
+1.6.8p12 June, 20 2005 1
-1.6.8p9 June, 20 2005 2
+1.6.8p12 June, 20 2005 2
-1.6.8p9 June, 20 2005 3
+1.6.8p12 June, 20 2005 3
-1.6.8p9 June, 20 2005 4
+1.6.8p12 June, 20 2005 4
-1.6.8p9 June, 20 2005 5
+1.6.8p12 June, 20 2005 5
-1.6.8p9 June, 20 2005 6
+1.6.8p12 June, 20 2005 6
-1.6.8p9 June, 20 2005 7
+1.6.8p12 June, 20 2005 7
-1.6.8p9 June, 20 2005 8
+1.6.8p12 June, 20 2005 8
-1.6.8p9 June, 20 2005 9
+1.6.8p12 June, 20 2005 9
-1.6.8p9 June, 20 2005 10
+1.6.8p12 June, 20 2005 10
-1.6.8p9 June, 20 2005 11
+1.6.8p12 June, 20 2005 11
-1.6.8p9 June, 20 2005 12
+1.6.8p12 June, 20 2005 12
-1.6.8p9 June, 20 2005 13
+1.6.8p12 June, 20 2005 13
-1.6.8p9 June, 20 2005 14
+1.6.8p12 June, 20 2005 14
-1.6.8p9 June, 20 2005 15
+1.6.8p12 June, 20 2005 15
-1.6.8p9 June, 20 2005 16
+1.6.8p12 June, 20 2005 16
-1.6.8p9 June, 20 2005 17
+1.6.8p12 June, 20 2005 17
-1.6.8p9 June, 20 2005 18
+1.6.8p12 June, 20 2005 18
-1.6.8p9 June, 20 2005 19
+1.6.8p12 June, 20 2005 19
-1.6.8p9 June, 20 2005 20
+1.6.8p12 June, 20 2005 20
-1.6.8p9 June, 20 2005 21
+1.6.8p12 June, 20 2005 21
-1.6.8p9 June, 20 2005 22
+1.6.8p12 June, 20 2005 22
-1.6.8p9 June, 20 2005 23
+1.6.8p12 June, 20 2005 23
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "June 20, 2005" "1.6.8p9" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "June 20, 2005" "1.6.8p12" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
#ifndef _SUDO_VERSION_H
#define _SUDO_VERSION_H
-static const char version[] = "1.6.8p9";
+static const char version[] = "1.6.8p12";
#endif /* _SUDO_VERSION_H */
-1.6.8p9 June, 20 2005 1
+1.6.8p12 June, 20 2005 1
-1.6.8p9 June, 20 2005 2
+1.6.8p12 June, 20 2005 2
-1.6.8p9 June, 20 2005 3
+1.6.8p12 June, 20 2005 3
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "June 20, 2005" "1.6.8p9" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "June 20, 2005" "1.6.8p12" "MAINTENANCE COMMANDS"
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"