joborun-pkg/jobcore
joborun-pkg/jobcore
Template
2
1
Fork 0
Code Issues Pull requests Projects Releases Activity

upg libnl sudo

Browse source
This commit is contained in:
joborun linux 2024-07-20 03:31:31 +03:00
parent 9683784426
commit 93e14dd46e
9 changed files with 328 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

9
libnl/PKGBUILD
View file

@ -6,7 +6,7 @@
#-----------------------------------------| DESCRIPTION |---------------------------------------
pkgname=libnl
pkgver=3.9.0
pkgver=3.10.0
pkgrel=01
pkgdesc='Library for applications dealing with netlink sockets'
url='https://github.com/thom311/libnl/'
@ -46,8 +46,7 @@ license=(GPL)
validpgpkeys=('49EA7C670E0850E7419514F629C2366E4DFC5728') # Thomas Haller
sha256sums=(aed507004d728a5cf11eab48ca4bf9e6e1874444e33939b9d3dfed25018ee9bb # libnl-3.9.0.tar.gz
673a014ae2405ee7c1877c407c669b35fe36ae56ab0497a2b3443b3e8aa73a59) # libnl-3.9.0.tar.gz.sig
## 6e7c3122b738b5b0befb103849d9444dea824266b9b050f943d01e27d507fac9 libnl-3.9.0-01-x86_64.pkg.tar.lz
sha256sums=(49b3e2235fdb58f5910bbb3ed0de8143b71ffc220571540502eb6c2471f204f5 # libnl-3.10.0.tar.gz
58f1c072c7b3baa332f372cd3840469f6622c689eed6bc6deb67b774f7e32217) # libnl-3.10.0.tar.gz.sig
## fc66f5d91eae5b8ae62aa7e5c917bde2b9c7cce037407c87968cf432d5cff4df libnl-3.10.0-01-x86_64.pkg.tar.lz

10
libnl/PKGBUILD-arch
View file

@ -2,7 +2,7 @@
# Contributor: Thomas Bächler <thomas@archlinux.org>
pkgname=libnl
pkgver=3.9.0
pkgver=3.10.0
pkgrel=1
pkgdesc='Library for applications dealing with netlink sockets'
arch=('x86_64')
@ -15,11 +15,11 @@ backup=('etc/libnl/classid'
'etc/libnl/pktloc')
validpgpkeys=('49EA7C670E0850E7419514F629C2366E4DFC5728') # Thomas Haller
source=("https://github.com/thom311/libnl/releases/download/libnl${pkgver//./_}/${pkgname}-${pkgver}.tar.gz"{,.sig})
sha256sums=('aed507004d728a5cf11eab48ca4bf9e6e1874444e33939b9d3dfed25018ee9bb'
sha256sums=('49b3e2235fdb58f5910bbb3ed0de8143b71ffc220571540502eb6c2471f204f5'
'SKIP')
build() {
cd $pkgname-$pkgver
cd "${pkgname}-${pkgver}"
./configure \
--prefix=/usr \
--sysconfdir=/etc \
@ -29,9 +29,9 @@ build() {
}
check() {
make -C $pkgname-$pkgver check
make -C "${pkgname}-${pkgver}" check
}
package() {
make -C $pkgname-$pkgver DESTDIR="$pkgdir" install
make -C "${pkgname}-${pkgver}" DESTDIR="${pkgdir}" install
}

1
libnl/deps
View file

@ -1,3 +1,2 @@
bison

21
sudo/PKGBUILD
View file

@ -7,7 +7,7 @@
pkgname=sudo
_sudover=1.9.15p5
pkgrel=01
pkgrel=02
pkgver=${_sudover/p/.p}
pkgdesc="Give certain users the ability to run some commands as root w/o systemd"
url="https://www.sudo.ws/sudo/"
@ -23,16 +23,18 @@ source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig}
# sudo_logsrvd.service
# $pkgname-configure-add-missing-bracket.patch::https://github.com/sudo-project/sudo/commit/defec5d46eec.patch
# $pkgname-tests-pick-first-utf-8-locale.patch::https://github.com/sudo-project/sudo/commit/2845ceafb06d.patch
$pkgname-preserve-editor-for-visudo.patch::https://github.com/sudo-project/sudo/commit/1db1453556e1.patch
$pkgname-enable-secure_path-by-default.patch::https://github.com/sudo-project/sudo/commit/e0e24456bc3f.patch
change-default-secure-path.patch
sudo.pam)
prepare() {
cd $pkgname-$_sudover
# https://github.com/sudo-project/sudo/issues/238
# patch -Np1 -i ../$pkgname-configure-add-missing-bracket.patch
# https://github.com/sudo-project/sudo/issues/241
# patch -Np1 -i ../$pkgname-tests-pick-first-utf-8-locale.patch
patch -Np1 -i ../$pkgname-preserve-editor-for-visudo.patch
patch -Np1 -F3 -i ../$pkgname-enable-secure_path-by-default.patch
# we cannot use --with-secure_path as it will enable it internally as well
# keeping it disabled in the sudo binary allows the user to comment it out
patch -Np1 -i ../change-default-secure-path.patch
}
@ -93,7 +95,10 @@ validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB') # "Todd C. Miller <Tod
sha256sums=(558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558 # sudo-1.9.15p5.tar.gz
94ac50200cb00e82df1a76747166f90c4febdb5b45c4a8edbf0251029a559230 # sudo-1.9.15p5.tar.gz.sig
321aa5f1b482ffd5728c07477a51ce3de1e48b9db13f4578e662c227c705826c # sudo-preserve-editor-for-visudo.patch
baacece8e854bed47276925715ae8f3c2771ad72821006b3a26796fe154e1130 # sudo-enable-secure_path-by-default.patch
d062bab92a9fcd2fac0a4a9dca155c58efc0f942dd1ed7e37e7055455a4980d9 # change-default-secure-path.patch
d1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2) # sudo.pam
## 6350ef805e5340ea483e7d066454921b0fe7f001315a34041995c4919f03a8c6 sudo-1.9.15.p5-01-x86_64.pkg.tar.lz
## 2eb19a42be92e8c41d1964d39cc1076c6461abd9a80d4cc63fc98e1798315370 sudo-1.9.15.p5-02-x86_64.pkg.tar.lz

18
sudo/PKGBUILD-arch
View file

@ -1,10 +1,10 @@
# Maintainer: Evangelos Foutras <evangelos@foutrelis.com>
# Maintainer: Evangelos Foutras <foutrelis@archlinux.org>
# Contributor: Allan McRae <allan@archlinux.org>
# Contributor: Tom Newsom <Jeepster@gmx.co.uk>
pkgname=sudo
_sudover=1.9.15p5
pkgrel=1
pkgrel=2
pkgver=${_sudover/p/.p}
pkgdesc="Give certain users the ability to run some commands as root"
arch=('x86_64')
@ -17,16 +17,28 @@ backup=('etc/pam.d/sudo'
'etc/sudoers')
install=$pkgname.install
source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig}
$pkgname-preserve-editor-for-visudo.patch::https://github.com/sudo-project/sudo/commit/1db1453556e1.patch
$pkgname-enable-secure_path-by-default.patch::https://github.com/sudo-project/sudo/commit/e0e24456bc3f.patch
change-default-secure-path.patch
sudo_logsrvd.service
sudo.pam)
sha256sums=('558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558'
'SKIP'
'8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1'
'321aa5f1b482ffd5728c07477a51ce3de1e48b9db13f4578e662c227c705826c'
'baacece8e854bed47276925715ae8f3c2771ad72821006b3a26796fe154e1130'
'd062bab92a9fcd2fac0a4a9dca155c58efc0f942dd1ed7e37e7055455a4980d9'
'bd4bc2f5d85cbe14d7e7acc5008cb4fe62c38de7d42dc6876c87bfaa273c0a6e'
'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2')
validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB')
prepare() {
cd $pkgname-$_sudover
patch -Np1 -i ../$pkgname-preserve-editor-for-visudo.patch
patch -Np1 -F3 -i ../$pkgname-enable-secure_path-by-default.patch
# we cannot use --with-secure_path as it will enable it internally as well
# keeping it disabled in the sudo binary allows the user to comment it out
patch -Np1 -i ../change-default-secure-path.patch
}
build() {

26
sudo/change-default-secure-path.patch Normal file
View file

@ -0,0 +1,26 @@
diff --git a/configure b/configure
index 9ac46b6..de561f1 100755
--- a/configure
+++ b/configure
@@ -3729,7 +3729,7 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
-secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"
secure_path_set="disabled"
pam_session=on
pam_login_service=sudo
diff --git a/configure.ac b/configure.ac
index 2f07e7c..d59c04e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -229,7 +229,7 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
-secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+secure_path="/usr/local/sbin:/usr/local/bin:/usr/bin"
secure_path_set="disabled"
pam_session=on
pam_login_service=sudo

1
sudo/deps
View file

@ -1,2 +1 @@

171
sudo/sudo-enable-secure_path-by-default.patch Normal file
View file

@ -0,0 +1,171 @@
From e0e24456bc3fcdf5506660be69186e01583ff383 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Mon, 10 Jun 2024 20:37:05 -0600
Subject: [PATCH] Enable secure_path in default sudoers file.
It is still disabled by default in the sudo binary.
---
INSTALL.md | 3 ++-
configure | 22 ++++++++++++++--------
configure.ac | 15 +++++++++------
docs/sudoers.mdoc.in | 2 +-
plugins/sudoers/sudoers.in | 8 +++++---
5 files changed, 31 insertions(+), 19 deletions(-)
diff --git a/INSTALL.md b/INSTALL.md
index 59c67b8366..2261504b6c 100644
--- a/INSTALL.md
+++ b/INSTALL.md
@@ -999,7 +999,8 @@ Defaults are listed in brackets after the description.
be separate from the "user path." You will need to customize the
path for your site. This is not applied to users in the group
specified by --with-exemptgroup. If you do not specify a path,
- "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.
+ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+ is used.
Sudoers option: secure_path
--with-sendmail=PATH
diff --git a/configure b/configure
index 237d5cf580..e7f1b1d91e 100755
--- a/configure
+++ b/configure
@@ -733,6 +733,7 @@ plugindir
pam_login_service
pam_session
editor
+secure_path_set
secure_path
netsvc_conf
nsswitch_conf
@@ -3680,6 +3681,7 @@ sudoers_path='$(sysconfdir)/sudoers'
+
#
@@ -3727,7 +3729,8 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
-secure_path="not set"
+secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+secure_path_set="disabled"
pam_session=on
pam_login_service=sudo
plugindir="$libexecdir/sudo"
@@ -6308,19 +6311,22 @@ EOF
if test ${with_secure_path+y}
then :
withval=$with_secure_path; case $with_secure_path in
- yes) with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
- printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h
-
- secure_path="set to $with_secure_path"
+ yes) with_secure_path="$secure_path"
;;
no) ;;
- *) printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h
-
- secure_path="set to $with_secure_path"
+ *) secure_path="$with_secure_path"
;;
esac
fi
+if test "${with_secure_path-no}" != "no"
+then :
+
+ printf "%s\n" "#define SECURE_PATH \"$secure_path\"" >>confdefs.h
+
+ secure_path_set="set to $secure_path"
+
+fi
# Check whether --with-interfaces was given.
diff --git a/configure.ac b/configure.ac
index f4d96eccd0..61b2115300 100644
--- a/configure.ac
+++ b/configure.ac
@@ -177,6 +177,7 @@ AC_SUBST([sssd_lib])
AC_SUBST([nsswitch_conf])
AC_SUBST([netsvc_conf])
AC_SUBST([secure_path])
+AC_SUBST([secure_path_set])
AC_SUBST([editor])
AC_SUBST([pam_session])
AC_SUBST([pam_login_service])
@@ -228,7 +229,8 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
-secure_path="not set"
+secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+secure_path_set="disabled"
pam_session=on
pam_login_service=sudo
plugindir="$libexecdir/sudo"
@@ -1068,15 +1070,16 @@ SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret
AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])],
[case $with_secure_path in
- yes) with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
- AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
- secure_path="set to $with_secure_path"
+ yes) with_secure_path="$secure_path"
;;
no) ;;
- *) AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
- secure_path="set to $with_secure_path"
+ *) secure_path="$with_secure_path"
;;
esac])
+AS_IF([test "${with_secure_path-no}" != "no"], [
+ AC_DEFINE_UNQUOTED(SECURE_PATH, "$secure_path")
+ secure_path_set="set to $secure_path"
+])
AC_ARG_WITH(interfaces, [AS_HELP_STRING([--without-interfaces], [don't try to read the ip addr of network interfaces])],
[case $with_interfaces in
diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
index ef9657f139..f53f1e0e01 100644
--- a/docs/sudoers.mdoc.in
+++ b/docs/sudoers.mdoc.in
@@ -5305,7 +5305,7 @@ Users in the group specified by the
.Em exempt_group
option are not affected by
.Em secure_path .
-This option is @secure_path@ by default.
+This option is @secure_path_set@ by default.
.It syslog
Syslog facility if syslog is being used for logging (negate to
disable syslog logging).
diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in
index 703c9d5f01..b0d464160f 100644
--- a/plugins/sudoers/sudoers.in
+++ b/plugins/sudoers/sudoers.in
@@ -45,6 +45,11 @@
## To preserve these for all commands, remove the "!visudo" qualifier.
Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
##
+## Use a hard-coded PATH instead of the user's to find commands.
+## This also helps prevent poorly written scripts from running
+## artbitrary commands under sudo.
+Defaults secure_path="@secure_path@"
+##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##
@@ -69,9 +74,6 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
## this may allow users to subvert the command being run via sudo.
# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
##
-## Uncomment to use a hard-coded PATH instead of the user's to find commands
-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-##
## Uncomment to disable "use_pty" when running commands as root.
## Commands run as non-root users will run in a pseudo-terminal,
## not the user's own terminal, to prevent command injection.

94
sudo/sudo-preserve-editor-for-visudo.patch Normal file
View file

@ -0,0 +1,94 @@
From 1db1453556e1c9c415b676705fe51d49dcd9d8a3 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@sudo.ws>
Date: Mon, 10 Jun 2024 08:17:17 -0600
Subject: [PATCH] Preserve SUDO_EDITOR, EDITOR, and VISUAL for visudo.
---
configure | 9 +++++++++
configure.ac | 9 +++++++++
plugins/sudoers/sudoers.in | 4 ++++
3 files changed, 22 insertions(+)
diff --git a/configure b/configure
index 0f474168fb..237d5cf580 100755
--- a/configure
+++ b/configure
@@ -827,6 +827,7 @@ PRELOAD_MODULE
INSTALL_NOEXEC
INSTALL_INTERCEPT
INSTALL_BACKUP
+visudo
sesh_file
noexec_file
NOEXECDIR
@@ -3724,6 +3725,7 @@ netsvc_conf=/etc/netsvc.conf
intercept_file="$libexecdir/sudo/sudo_intercept.so"
noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
+visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
secure_path="not set"
pam_session=on
@@ -35839,6 +35841,13 @@ while test X"$noexec_file" != X"$_noexec_file"; do
eval "noexec_file=\"$_noexec_file\""
done
+# Update exec_prefix in visudo
+_visudo=
+while test X"$visudo" != X"$_visudo"; do
+ _visudo="$visudo"
+ eval "visudo=\"$_visudo\""
+done
+
# Update exec_prefix in sesh_file
_sesh_file=
while test X"$sesh_file" != X"$_sesh_file"; do
diff --git a/configure.ac b/configure.ac
index c50e7d5544..f4d96eccd0 100644
--- a/configure.ac
+++ b/configure.ac
@@ -75,6 +75,7 @@ AC_SUBST([NOEXECFILE])dnl
AC_SUBST([NOEXECDIR])dnl
AC_SUBST([noexec_file])dnl
AC_SUBST([sesh_file])dnl
+AC_SUBST([visudo])dnl
AC_SUBST([INSTALL_BACKUP])dnl
AC_SUBST([INSTALL_INTERCEPT])dnl
AC_SUBST([INSTALL_NOEXEC])dnl
@@ -225,6 +226,7 @@ netsvc_conf=/etc/netsvc.conf
intercept_file="$libexecdir/sudo/sudo_intercept.so"
noexec_file="$libexecdir/sudo/sudo_noexec.so"
sesh_file="$libexecdir/sudo/sesh"
+visudo="$sbindir/visudo"
nsswitch_conf=/etc/nsswitch.conf
secure_path="not set"
pam_session=on
@@ -4301,6 +4303,13 @@ while test X"$noexec_file" != X"$_noexec_file"; do
eval "noexec_file=\"$_noexec_file\""
done
+# Update exec_prefix in visudo
+_visudo=
+while test X"$visudo" != X"$_visudo"; do
+ _visudo="$visudo"
+ eval "visudo=\"$_visudo\""
+done
+
# Update exec_prefix in sesh_file
_sesh_file=
while test X"$sesh_file" != X"$_sesh_file"; do
diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in
index e79edb400f..703c9d5f01 100644
--- a/plugins/sudoers/sudoers.in
+++ b/plugins/sudoers/sudoers.in
@@ -41,6 +41,10 @@
##
## Defaults specification
##
+## Preserve editor environment variables for visudo.
+## To preserve these for all commands, remove the "!visudo" qualifier.
+Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
+##
## You may wish to keep some of the following environment variables
## when running commands via sudo.
##