From d91bd6dc6259d1a8f2036cc07e7297b2dcc29e6e Mon Sep 17 00:00:00 2001 From: Bdale Garbee Date: Fri, 22 Jul 2011 15:23:29 +0200 Subject: [PATCH] move secure_path from configure to sudoers --- debian/changelog | 3 +- debian/patches/env.c-safety.diff | 65 -------------------------------- debian/patches/series | 1 - debian/rules | 3 +- debian/sudoers | 1 + 5 files changed, 4 insertions(+), 69 deletions(-) delete mode 100644 debian/patches/env.c-safety.diff diff --git a/debian/changelog b/debian/changelog index 8d9830b..0a6eb11 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,8 +2,9 @@ sudo (1.8.1p2-1) UNRELEASED; urgency=low * new upstream version * include common-session in pam config, closes: #519700, #607199 + * move secure_path from configure to default sudoers, closes: #85123, 85917 - -- Bdale Garbee Fri, 22 Jul 2011 14:51:28 +0200 + -- Bdale Garbee Fri, 22 Jul 2011 15:22:40 +0200 sudo (1.7.4p6-1) unstable; urgency=low diff --git a/debian/patches/env.c-safety.diff b/debian/patches/env.c-safety.diff deleted file mode 100644 index 034dfdb..0000000 --- a/debian/patches/env.c-safety.diff +++ /dev/null @@ -1,65 +0,0 @@ ---- /home/bdale/Desktop/sudo-1.7.2p1/env.c 2009-06-23 12:24:42.000000000 -0600 -+++ sudo/env.c 2009-11-20 07:31:58.000000000 -0700 -@@ -120,6 +120,8 @@ - static const char *initial_badenv_table[] = { - "IFS", - "CDPATH", -+ "SHELLOPTS", -+ "PS4", - "LOCALDOMAIN", - "RES_OPTIONS", - "HOSTALIASES", -@@ -602,6 +604,17 @@ - if (keepit == -1) - keepit = matches_env_keep(*ep); - -+ if (!strncmp (*ep, "DISPLAY=",8) -+ || !strncmp (*ep, "XAUTHORITY=", 11) -+ || !strncmp (*ep, "XAUTHORIZATION=", 15) -+ || !strncmp (*ep, "XAPPLRESDIR=", 12) -+ || !strncmp (*ep, "XFILESEARCHPATH=", 16) -+ || !strncmp (*ep, "XUSERFILESEARCHPATH=", 20) -+ || !strncmp (*ep, "LANG=", 5) -+ || !strncmp (*ep, "LANGUAGE=", 9) -+ || !strncmp (*ep, "LC_", 3)) -+ keepit = 1; -+ - /* For SUDO_PS1 -> PS1 conversion. */ - if (strncmp(*ep, "SUDO_PS1=", 8) == 0) - ps1 = *ep + 5; ---- tmp/sudoers.pod 2010-03-11 12:28:58.000000000 -0700 -+++ sudo/sudoers.pod 2010-03-11 12:29:58.000000000 -0700 -@@ -1227,6 +1227,9 @@ - - =item env_delete - -+Not effective due to security issues: only variables listed in -+I or I can be passed through B! -+ - Environment variables to be removed from the user's environment - when the I option is not in effect. The argument may - be a double-quoted, space-separated list or a single value without -@@ -1240,8 +1243,8 @@ - - =item env_keep - --Environment variables to be preserved in the user's environment --when the I option is in effect. This allows fine-grained -+Environment variables to be preserved in the user's environment. -+This allows fine-grained - control over the environment B-spawned processes will receive. - The argument may be a double-quoted, space-separated list or a - single value without double-quotes. The list can be replaced, added ---- a/sudo.pod -+++ b/sudo.pod -@@ -456,8 +456,8 @@ and, as such, it is not possible for B to preserve them. - To prevent command spoofing, B checks "." and "" (both denoting - current directory) last when searching for a command in the user's - PATH (if one or both are in the PATH). Note, however, that the --actual C environment variable is I modified and is passed --unchanged to the program that B executes. -+C environment variable is further modified in Debian because of -+the use of the I build option. - - B will check the ownership of its time stamp directory - (F<@timedir@> by default) and ignore the directory's contents if diff --git a/debian/patches/series b/debian/patches/series index 178a4c4..5e1f561 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,3 +1,2 @@ typo-in-classic-insults.diff -env.c-safety.diff paths-in-samples.diff diff --git a/debian/rules b/debian/rules index 2f665ff..6c06320 100755 --- a/debian/rules +++ b/debian/rules @@ -36,8 +36,7 @@ configure-stamp: --disable-setresuid \ --with-sendmail=/usr/sbin/sendmail \ --mandir=/usr/share/man \ - --libexecdir=/usr/lib/sudo \ - --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin" + --libexecdir=/usr/lib/sudo # LDAP version mkdir -p build-ldap diff --git a/debian/sudoers b/debian/sudoers index 4cecb43..1f73243 100644 --- a/debian/sudoers +++ b/debian/sudoers @@ -7,6 +7,7 @@ # See the man page for details on how to write a sudoers file. # Defaults env_reset +Defaults secure_path "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin" # Host alias specification -- 2.47.2