Date: Wednesday, February 2, 2022 @ 08:10:27 Author: foutrelis Revision: 435754
upgpkg: sudo 1.9.9-2: disable non-interactive auth https://github.com/sudo-project/sudo/issues/131 Added: sudo/trunk/disable-non-interative-auth.patch Modified: sudo/trunk/PKGBUILD -----------------------------------+ PKGBUILD | 5 + disable-non-interative-auth.patch | 142 ++++++++++++++++++++++++++++++++++++ 2 files changed, 146 insertions(+), 1 deletion(-) Modified: PKGBUILD =================================================================== --- PKGBUILD 2022-02-02 07:13:57 UTC (rev 435753) +++ PKGBUILD 2022-02-02 08:10:27 UTC (rev 435754) @@ -4,7 +4,7 @@ pkgname=sudo _sudover=1.9.9 -pkgrel=1 +pkgrel=2 pkgver=${_sudover/p/.p} pkgdesc="Give certain users the ability to run some commands as root" arch=('x86_64') @@ -19,15 +19,18 @@ install=$pkgname.install source=(https://www.sudo.ws/sudo/dist/$pkgname-$_sudover.tar.gz{,.sig} sudo_logsrvd.service + disable-non-interative-auth.patch sudo.pam) sha256sums=('6d6ee863a3bc26c87661093a74ec63e10fd031ceba714642d21636dfe25e3e00' 'SKIP' '8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1' + '094387d71f6866ff85ab1cccbdf685f97c02a803eb01b41c80c52918785db85c' 'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2') validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB') prepare() { cd "$srcdir/$pkgname-$_sudover" + patch -Np1 -i ../disable-non-interative-auth.patch } build() { Added: disable-non-interative-auth.patch =================================================================== --- disable-non-interative-auth.patch (rev 0) +++ disable-non-interative-auth.patch 2022-02-02 08:10:27 UTC (rev 435754) @@ -0,0 +1,142 @@ +From df5f61eb240b9ae1b67faad8f143a488c5c8f206 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" <todd.mil...@sudo.ws> +Date: Tue, 1 Feb 2022 20:08:26 -0700 +Subject: [PATCH] Add sudoers option to perform authentication even in + non-interative mode. If noninteractive_auth is set, authentication methods + that do not require input from the user's terminal may proceed. It is off by + default, which restores the pre-1.9.9 behavior of "sudo -n". + +(cherry picked from commit 85fef8b50f0847f4fce39a7fead9aae767be1dca) +--- + docs/sudoers.man.in | 17 +++++++++++++++++ + docs/sudoers.mdoc.in | 16 ++++++++++++++++ + plugins/sudoers/check.c | 6 ++++++ + plugins/sudoers/def_data.c | 4 ++++ + plugins/sudoers/def_data.h | 2 ++ + plugins/sudoers/def_data.in | 3 +++ + plugins/sudoers/defaults.c | 1 + + 7 files changed, 49 insertions(+) + +diff --git a/docs/sudoers.man.in b/docs/sudoers.man.in +index 67ca7cec6..f7e53cfe7 100644 +--- a/docs/sudoers.man.in ++++ b/docs/sudoers.man.in +@@ -3214,6 +3214,23 @@ This flag is + \fIoff\fR + by default. + .TP 18n ++noninteractive_auth ++If set, authentication will be attempted even in non-interactive mode ++(when ++\fBsudo\fR's ++\fB\-n\fR ++option is specified). ++This allows authentication methods that don't require user interaction ++to succeed. ++Authentication methods that require input from the user's terminal ++will still fail. ++If disabled, authentication will not be attempted in non-interactive mode. ++This flag is ++\fIoff\fR ++by default. ++.sp ++This setting is only supported by version 1.9.10 or higher. ++.TP 18n + pam_acct_mgmt + On systems that use PAM for authentication, + \fBsudo\fR +diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in +index 1b9ea07cf..38b83b9af 100644 +--- a/docs/sudoers.mdoc.in ++++ b/docs/sudoers.mdoc.in +@@ -3027,6 +3027,22 @@ section at the end of this manual. + This flag is + .Em off + by default. ++.It noninteractive_auth ++If set, authentication will be attempted even in non-interactive mode ++(when ++.Nm sudo Ns 's ++.Fl n ++option is specified). ++This allows authentication methods that don't require user interaction ++to succeed. ++Authentication methods that require input from the user's terminal ++will still fail. ++If disabled, authentication will not be attempted in non-interactive mode. ++This flag is ++.Em off ++by default. ++.Pp ++This setting is only supported by version 1.9.10 or higher. + .It pam_acct_mgmt + On systems that use PAM for authentication, + .Nm sudo +diff --git a/plugins/sudoers/check.c b/plugins/sudoers/check.c +index 2ba18d27e..25a2087b0 100644 +--- a/plugins/sudoers/check.c ++++ b/plugins/sudoers/check.c +@@ -125,6 +125,12 @@ check_user_interactive(int validated, int mode, struct getpass_closure *closure) + FALLTHROUGH; + + default: ++ if (ISSET(mode, MODE_NONINTERACTIVE) && !def_noninteractive_auth) { ++ validated |= FLAG_NO_USER_INPUT; ++ log_auth_failure(validated, 0); ++ goto done; ++ } ++ + /* XXX - should not lecture if askpass helper is being used. */ + lectured = display_lecture(closure->tstat); + +diff --git a/plugins/sudoers/def_data.c b/plugins/sudoers/def_data.c +index 0afddace8..2398f3c28 100644 +--- a/plugins/sudoers/def_data.c ++++ b/plugins/sudoers/def_data.c +@@ -645,6 +645,10 @@ struct sudo_defs_types sudo_defs_table[] = { + "rlimit_stack", T_RLIMIT|T_BOOL, + N_("The maximum size to which the process's stack may grow (in bytes): %s"), + NULL, ++ }, { ++ "noninteractive_auth", T_FLAG, ++ N_("Attempt authentication even when in non-interactive mode"), ++ NULL, + }, { + NULL, 0, NULL + } +diff --git a/plugins/sudoers/def_data.h b/plugins/sudoers/def_data.h +index 25bf3a71d..ae9182921 100644 +--- a/plugins/sudoers/def_data.h ++++ b/plugins/sudoers/def_data.h +@@ -300,6 +300,8 @@ + #define def_rlimit_rss (sudo_defs_table[I_RLIMIT_RSS].sd_un.str) + #define I_RLIMIT_STACK 149 + #define def_rlimit_stack (sudo_defs_table[I_RLIMIT_STACK].sd_un.str) ++#define I_NONINTERACTIVE_AUTH 150 ++#define def_noninteractive_auth (sudo_defs_table[I_NONINTERACTIVE_AUTH].sd_un.flag) + + enum def_tuple { + never, +diff --git a/plugins/sudoers/def_data.in b/plugins/sudoers/def_data.in +index 8309779f7..03ed95607 100644 +--- a/plugins/sudoers/def_data.in ++++ b/plugins/sudoers/def_data.in +@@ -466,3 +466,6 @@ rlimit_rss + rlimit_stack + T_RLIMIT|T_BOOL + "The maximum size to which the process's stack may grow (in bytes): %s" ++noninteractive_auth ++ T_FLAG ++ "Attempt authentication even when in non-interactive mode" +diff --git a/plugins/sudoers/defaults.c b/plugins/sudoers/defaults.c +index b7979f37e..53c2dc2a9 100644 +--- a/plugins/sudoers/defaults.c ++++ b/plugins/sudoers/defaults.c +@@ -571,6 +571,7 @@ init_defaults(void) + def_log_denied = true; + def_log_format = sudo; + def_runas_allow_unknown_id = false; ++ def_noninteractive_auth = false; + + /* Syslog options need special care since they both strings and ints */ + #if (LOGGING & SLOG_SYSLOG)