Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2022-02-18 23:02:36 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.1958 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Fri Feb 18 23:02:36 2022 rev:128 rq:955511 version:1.9.9 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2022-02-03 23:16:05.232776293 +0100 +++ /work/SRC/openSUSE:Factory/.sudo.new.1958/sudo.changes 2022-02-18 23:02:37.997414293 +0100 @@ -1,0 +2,7 @@ +Wed Feb 16 04:34:33 UTC 2022 - Simon Lees <sfl...@suse.de> + +- Restrict use of sudo -U other -l to people who have permission + to run commands as that user (bsc#1181703, jsc#SLE-22569) + * feature-upstream-restrict-sudo-U-other-l.patch + +------------------------------------------------------------------- New: ---- feature-upstream-restrict-sudo-U-other-l.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.papBUN/_old 2022-02-18 23:02:38.701414239 +0100 +++ /var/tmp/diff_new_pack.papBUN/_new 2022-02-18 23:02:38.705414238 +0100 @@ -38,6 +38,7 @@ Source7: README_313276.test # PATCH-OPENSUSE: the "SUSE" branding of the default sudo config Patch0: sudo-sudoers.patch +Patch1: feature-upstream-restrict-sudo-U-other-l.patch BuildRequires: audit-devel BuildRequires: cyrus-sasl-devel BuildRequires: groff ++++++ feature-upstream-restrict-sudo-U-other-l.patch ++++++ >From 9f695f0fcc749b3cdebc453ba4fdeae84114f3ae Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" <todd.mil...@sudo.ws> Date: Mon, 14 Feb 2022 13:09:55 -0700 Subject: [PATCH] Restrict "sudo -U other -l" to users with sudo ALL for root or "other". Having "sudo ALL" permissions in no longer sufficient to be able to list another user's privileges. The invoking user must now have "sudo ALL" for root or the target user. GitHub issue #134 --- docs/sudo.man.in | 11 ++++++----- docs/sudo.mdoc.in | 11 ++++++----- plugins/sudoers/parse.c | 34 ++++++++++++++++++++++++---------- plugins/sudoers/policy.c | 5 +++++ 4 files changed, 41 insertions(+), 20 deletions(-) Index: sudo-1.9.9/docs/sudo.man.in =================================================================== --- sudo-1.9.9.orig/docs/sudo.man.in +++ sudo-1.9.9/docs/sudo.man.in @@ -664,11 +664,12 @@ option to list the privileges for \fIuser\fR instead of for the invoking user. The security policy may restrict listing other users' privileges. -The +When using the \fIsudoers\fR -policy only allows root or a user with the -\fRALL\fR -privilege on the current host to use this option. +policy, only root or a user with the ability to run any command as +either root or the specified +\fIuser\fR +on the current host may use this option. .TP 12n \fB\-T\fR \fItimeout\fR, \fB\--command-timeout\fR=\fItimeout\fR Used to set a timeout for the command. Index: sudo-1.9.9/docs/sudo.mdoc.in =================================================================== --- sudo-1.9.9.orig/docs/sudo.mdoc.in +++ sudo-1.9.9/docs/sudo.mdoc.in @@ -620,11 +620,12 @@ option to list the privileges for .Ar user instead of for the invoking user. The security policy may restrict listing other users' privileges. -The +When using the .Em sudoers -policy only allows root or a user with the -.Li ALL -privilege on the current host to use this option. +policy, only root or a user with the ability to run any command as +either root or the specified +.Ar user +on the current host may use this option. .It Fl T Ar timeout , Fl -command-timeout Ns = Ns Ar timeout Used to set a timeout for the command. If the timeout expires before the command has exited, the Index: sudo-1.9.9/plugins/sudoers/parse.c =================================================================== --- sudo-1.9.9.orig/plugins/sudoers/parse.c +++ sudo-1.9.9/plugins/sudoers/parse.c @@ -43,24 +43,26 @@ static int sudoers_lookup_pseudo(struct sudo_nss_list *snl, struct passwd *pw, int validated, int pwflag) { - int match; + struct passwd *root_pw = NULL; struct sudo_nss *nss; struct cmndspec *cs; struct privilege *priv; struct userspec *us; struct defaults *def; - int nopass; + int nopass, match = DENY; enum def_tuple pwcheck; debug_decl(sudoers_lookup_pseudo, SUDOERS_DEBUG_PARSER); pwcheck = (pwflag == -1) ? never : sudo_defs_table[pwflag].sd_un.tuple; nopass = (pwcheck == never || pwcheck == all) ? true : false; - if (list_pw == NULL) - SET(validated, FLAG_NO_CHECK); CLR(validated, FLAG_NO_USER); CLR(validated, FLAG_NO_HOST); - match = DENY; + if (list_pw != NULL) { + root_pw = sudo_getpwuid(ROOT_UID); + } else { + SET(validated, FLAG_NO_CHECK); + } TAILQ_FOREACH(nss, snl, entries) { if (nss->query(nss, pw) == -1) { /* The query function should have printed an error message. */ @@ -89,16 +91,28 @@ sudoers_lookup_pseudo(struct sudo_nss_li } if (match == ALLOW) continue; - /* Only check the command when listing another user. */ + + /* Only check runas/command when listing another user. */ if (user_uid == 0 || list_pw == NULL || - user_uid == list_pw->pw_uid || - cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot, - NULL) == ALLOW) - match = ALLOW; + user_uid == list_pw->pw_uid) { + match = ALLOW; + continue; + } + /* Runas user must match list user or root. */ + if (userlist_matches(nss->parse_tree, list_pw, + cs->runasuserlist) == DENY || + userlist_matches(nss->parse_tree, root_pw, + cs->runasuserlist) != ALLOW) + continue; + if (cmnd_matches(nss->parse_tree, cs->cmnd, cs->runchroot, + NULL) == ALLOW) + match = ALLOW; } } } } + if (root_pw != NULL) + sudo_pw_delref(root_pw); if (match == ALLOW || user_uid == 0) { /* User has an entry for this host. */ SET(validated, VALIDATE_SUCCESS); Index: sudo-1.9.9/plugins/sudoers/policy.c =================================================================== --- sudo-1.9.9.orig/plugins/sudoers/policy.c +++ sudo-1.9.9/plugins/sudoers/policy.c @@ -1217,6 +1217,11 @@ sudoers_policy_list(int argc, char * con sudo_warnx(U_("unknown user %s"), list_user); debug_return_int(-1); } + /* A user may only list another user they have runas access to. */ + if (runas_pw != NULL) + sudo_pw_delref(runas_pw); + runas_pw = list_pw; + sudo_pw_addref(list_pw); } ret = sudoers_policy_main(argc, argv, I_LISTPW, NULL, verbose, NULL); if (list_user) {