From 5d1cdf83dd9f20f98a294efaa9b54a0b9458f05c Mon Sep 17 00:00:00 2001 From: Bdale Garbee Date: Thu, 11 Mar 2010 12:46:25 -0700 Subject: [PATCH] more work moving to quilt for patch management --- .gbp.conf => debian/gbp.conf | 0 debian/patches/env.c-safety.diff | 52 +++++++++++++++++++++++++++ debian/patches/series | 3 ++ debian/patches/sudo.pod.diff | 11 ------ debian/patches/sudoers.pod.diff | 60 ++++++-------------------------- sudo.c | 10 ++++-- sudo.h | 2 -- sudoers.man.in | 2 +- sudoers.pod | 2 +- 9 files changed, 75 insertions(+), 67 deletions(-) rename .gbp.conf => debian/gbp.conf (100%) diff --git a/.gbp.conf b/debian/gbp.conf similarity index 100% rename from .gbp.conf rename to debian/gbp.conf diff --git a/debian/patches/env.c-safety.diff b/debian/patches/env.c-safety.diff index 6a6467d..8531e9a 100644 --- a/debian/patches/env.c-safety.diff +++ b/debian/patches/env.c-safety.diff @@ -27,3 +27,55 @@ /* For SUDO_PS1 -> PS1 conversion. */ if (strncmp(*ep, "SUDO_PS1=", 8) == 0) ps1 = *ep + 5; +--- tmp/sudoers.pod 2010-03-11 12:28:58.000000000 -0700 ++++ sudo/sudoers.pod 2010-03-11 12:29:58.000000000 -0700 +@@ -1227,6 +1227,9 @@ + + =item env_delete + ++Not effective due to security issues: only variables listed in ++I or I can be passed through B! ++ + Environment variables to be removed from the user's environment + when the I option is not in effect. The argument may + be a double-quoted, space-separated list or a single value without +@@ -1240,8 +1243,8 @@ + + =item env_keep + +-Environment variables to be preserved in the user's environment +-when the I option is in effect. This allows fine-grained ++Environment variables to be preserved in the user's environment. ++This allows fine-grained + control over the environment B-spawned processes will receive. + The argument may be a double-quoted, space-separated list or a + single value without double-quotes. The list can be replaced, added +@@ -1280,8 +1283,14 @@ + =head1 EXAMPLES + + Below are example I entries. Admittedly, some of +-these are a bit contrived. First, we define our I: ++these are a bit contrived. First, we allow a few environment ++variables to pass and then define our I: + ++ # Run X applications through sudo; HOME is used to find .Xauthority file ++ # Note that some programs may use HOME for other purposes too and ++ # this may lead to privilege escalation! ++ Defaults env_keep = "DISPLAY HOME" ++ + # User alias specification + User_Alias FULLTIMERS = millert, mikef, dowdy + User_Alias PARTTIMERS = bostley, jwfox, crawl +--- /home/bdale/Desktop/sudo-1.7.2p1/sudo.pod 2009-06-15 15:19:47.000000000 -0600 ++++ sudo/sudo.pod 2009-11-20 07:31:58.000000000 -0700 +@@ -452,8 +452,8 @@ + To prevent command spoofing, B checks "." and "" (both denoting + current directory) last when searching for a command in the user's + PATH (if one or both are in the PATH). Note, however, that the +-actual C environment variable is I modified and is passed +-unchanged to the program that B executes. ++C environment variable is further modified in Debian because of ++the use of the I build option. + + B will check the ownership of its timestamp directory + (F<@timedir@> by default) and ignore the directory's contents if diff --git a/debian/patches/series b/debian/patches/series index 264a255..08d2543 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -2,3 +2,6 @@ makefile-strip.diff sudo-1.7.2p1-visudo-manpage-fix.diff typo-in-classic-insults.diff env.c-safety.diff +paths-in-samples.diff +sudoers.pod.diff +sudo.pod.diff diff --git a/debian/patches/sudo.pod.diff b/debian/patches/sudo.pod.diff index 0b2d38c..2d34627 100644 --- a/debian/patches/sudo.pod.diff +++ b/debian/patches/sudo.pod.diff @@ -1,16 +1,5 @@ --- /home/bdale/Desktop/sudo-1.7.2p1/sudo.pod 2009-06-15 15:19:47.000000000 -0600 +++ sudo/sudo.pod 2009-11-20 07:31:58.000000000 -0700 -@@ -452,8 +452,8 @@ - To prevent command spoofing, B checks "." and "" (both denoting - current directory) last when searching for a command in the user's - PATH (if one or both are in the PATH). Note, however, that the --actual C environment variable is I modified and is passed --unchanged to the program that B executes. -+C environment variable is further modified in Debian because of -+the use of the I build option. - - B will check the ownership of its timestamp directory - (F<@timedir@> by default) and ignore the directory's contents if @@ -616,6 +616,10 @@ L, L, L, L diff --git a/debian/patches/sudoers.pod.diff b/debian/patches/sudoers.pod.diff index b780785..281c711 100644 --- a/debian/patches/sudoers.pod.diff +++ b/debian/patches/sudoers.pod.diff @@ -1,5 +1,5 @@ ---- /home/bdale/Desktop/sudo-1.7.2p1/sudoers.pod 2009-06-30 06:41:09.000000000 -0600 -+++ sudo/sudoers.pod 2009-11-20 07:31:58.000000000 -0700 +--- tmp/sudoers.pod 2010-03-11 12:28:58.000000000 -0700 ++++ sudo/sudoers.pod 2010-03-11 12:29:58.000000000 -0700 @@ -93,7 +93,7 @@ Cmnd_Alias ::= NAME '=' Cmnd_List @@ -8,50 +8,12 @@ + NAME ::= [A-Z]([a-z][A-Z][0-9]_)* Each I definition is of the form - -@@ -565,7 +565,7 @@ - - =over 16 - --=item always_set_home -+=item mail_badpass - - If set, B will set the C environment variable to the home - directory of the target user (which is root unless the B<-u> option is used). -@@ -1227,6 +1227,9 @@ - - =item env_delete - -+Not effective due to security issues: only variables listed in -+I or I can be passed through B! -+ - Environment variables to be removed from the user's environment - when the I option is not in effect. The argument may - be a double-quoted, space-separated list or a single value without -@@ -1240,8 +1243,8 @@ - - =item env_keep - --Environment variables to be preserved in the user's environment --when the I option is in effect. This allows fine-grained -+Environment variables to be preserved in the user's environment. -+This allows fine-grained - control over the environment B-spawned processes will receive. - The argument may be a double-quoted, space-separated list or a - single value without double-quotes. The list can be replaced, added -@@ -1282,6 +1285,15 @@ - Below are example I entries. Admittedly, some of - these are a bit contrived. First, we define our I: - -+Below are example I entries. Admittedly, some of -+these are a bit contrived. First, we allow a few environment -+variables to pass and then define our I: -+ -+ # Run X applications through sudo; HOME is used to find .Xauthority file -+ # Note that some programs may use HOME for other purposes too and -+ # this may lead to privilege escalation! -+ Defaults env_keep = "DISPLAY HOME" -+ - # User alias specification - User_Alias FULLTIMERS = millert, mikef, dowdy - User_Alias PARTTIMERS = bostley, jwfox, crawl +@@ -747,7 +747,7 @@ + If set, root is allowed to run B too. Disabling this prevents users + from "chaining" B commands to get a root shell by doing something + like C<"sudo sudo /bin/sh">. Note, however, that turning off I +-will also prevent root and from running B. ++will also prevent root from running B. + Disabling I provides no real additional security; it + exists purely for historical reasons. + This flag is I<@root_sudo@> by default. diff --git a/sudo.c b/sudo.c index 4ee0c4c..27af77a 100644 --- a/sudo.c +++ b/sudo.c @@ -628,7 +628,6 @@ init_vars(sudo_mode, envp) * "host" is the (possibly fully-qualified) hostname and * "shost" is the unqualified form of the hostname. */ - sudo_user.host_fqdn_queried = FALSE; nohostname = gethostname(thost, sizeof(thost)); if (nohostname) user_host = user_shost = "localhost"; @@ -639,7 +638,13 @@ init_vars(sudo_mode, envp) /* Defer call to set_fqdn() until log_error() is safe. */ user_shost = user_host; } else { - user_shost = user_host; + if ((p = strchr(user_host, '.'))) { + *p = '\0'; + user_shost = estrdup(user_host); + *p = '.'; + } else { + user_shost = user_host; + } } } @@ -1364,7 +1369,6 @@ set_fqdn() } else { user_shost = user_host; } - sudo_user.host_fqdn_queried = TRUE; } /* diff --git a/sudo.h b/sudo.h index 8fa7699..afb4e4e 100644 --- a/sudo.h +++ b/sudo.h @@ -47,8 +47,6 @@ struct sudo_user { char *ttypath; char *host; char *shost; - int host_fqdn_queried; - char **runas; char *prompt; char *cmnd; char *cmnd_args; diff --git a/sudoers.man.in b/sudoers.man.in index 9d4f010..b56b1c4 100644 --- a/sudoers.man.in +++ b/sudoers.man.in @@ -856,7 +856,7 @@ This flag is \fIoff\fR by default. If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR -will also prevent root from running \fBsudoedit\fR. +will also prevent root and from running \fBsudoedit\fR. Disabling \fIroot_sudo\fR provides no real additional security; it exists purely for historical reasons. This flag is \fI@root_sudo@\fR by default. diff --git a/sudoers.pod b/sudoers.pod index bbc2264..47acc3a 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -747,7 +747,7 @@ This flag is I by default. If set, root is allowed to run B too. Disabling this prevents users from "chaining" B commands to get a root shell by doing something like C<"sudo sudo /bin/sh">. Note, however, that turning off I -will also prevent root and from running B. +will also prevent root from running B. Disabling I provides no real additional security; it exists purely for historical reasons. This flag is I<@root_sudo@> by default. -- 2.47.2