Hello community, here is the log from the commit of package sudo for openSUSE:Factory checked in at 2020-04-22 20:43:08 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/sudo (Old) and /work/SRC/openSUSE:Factory/.sudo.new.2738 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "sudo" Wed Apr 22 20:43:08 2020 rev:108 rq:794970 version:1.9.0rc2 Changes: -------- --- /work/SRC/openSUSE:Factory/sudo/sudo.changes 2020-03-19 19:49:11.612145813 +0100 +++ /work/SRC/openSUSE:Factory/.sudo.new.2738/sudo.changes 2020-04-22 20:43:10.742239518 +0200 @@ -1,0 +2,81 @@ +Fri Apr 17 17:07:06 UTC 2020 - Kristyna Streitova <[email protected]> + +- build with enable-python to support python plugins + +------------------------------------------------------------------- +Fri Apr 17 11:51:49 UTC 2020 - Kristyna Streitova <[email protected]> + +- Update to 1.9.0rc2 + * Fixed a test failure in the strsig_test regress test on FreeBSD. + * Sudo now includes a logging daemon, sudo_logsrvd, which can be + used to implement centralized logging of I/O logs. TLS connections + are supported when sudo is configured with the --enable-openssl + option. For more information, see the sudo_logsrvd, logsrvd.conf + and sudo_logsrv.proto manuals as well as the log_servers setting + in the sudoers manual. + The --disable-log-server and --disable-log-client configure + options can be used to disable building the I/O log server and/or + remote I/O log support in the sudoers plugin. + * The new sudo_sendlog utility can be used to test sudo_logsrvd + or send existing sudo I/O logs to a centralized server. + * It is now possible to write sudo plugins in Python 3 when sudo + is configured with the --enable-python> option. See the + sudo_plugin_python.man.html manual for details. + Sudo 1.9.0 comes with several Python example plugins that get + installed sudo's examples directory. + The sudo blog article "What's new in sudo 1.9: Python" + (https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/) + includes a simple tutorial on writing python plugins. + * Sudo now supports an "audit" plugin type. An audit plugin + receives accept, reject, exit and error messages and can be used + to implement custom logging that is independent of the underlying + security policy. Multiple audit plugins may be specified in + the sudo.conf file. A sample audit plugin is included that + writes logs in JSON format. + * Sudo now supports an "approval" plugin type. An approval plugin + is run only after the main security policy (such as sudoers) accepts + a command to be run. The approval policy may perform additional + checks, potentially interacting with the user. Multiple approval + plugins may be specified in the sudo.conf file. Only if all + approval plugins succeed will the command be allowed. + * Sudo's -S command line option now causes the sudo conversation + function to write to the standard output or standard error instead + of the terminal device. + * It is now possible to use "Cmd_Alias" instead of "Cmnd_Alias" for + people who find the former more natural. + * The new "pam_ruser" and "pam_rhost" sudoers settings can be used + to enable or disable setting the PAM remote user and/or host + values during PAM session setup. + * More than one SHA-2 digest may now be specified for a single + command. Multiple digests must be separated by a comma. + * It is now possible to specify a SHA-2 digest in conjunction with + the "ALL" reserved word in a command specification. This allows + one to give permission to run any command that matches the + specified digest, regardless of its path. + * Sudo and sudo_logsrvd now create an extended I/O log info file + in JSON format that contains additional information about the + command that was run, such as the host name. The sudoreplay + utility uses this file in preference to the legacy log file. + * The sudoreplay utility can now match on a host name in list mode. + The list output also now includes the host name if one is present + in the log file. + * For "sudo -i", if the target user's home directory does not + exist, sudo will now warn about the problem but run the command + in the current working directory. Previously, this was a fatal + error. Debian bug #598519. + * The command line arguments in the SUDO_COMMAND environment + variable are now truncated at 4096 characters. This avoids an + "Argument list too long" error when executing a command with a + large number of arguments. Debian bug #596631. + * Sudo now properly ends the PAM transaction when the user + authenticates successfully but sudoers denies the command. + Debian bug #669687. + * The sudoers grammar in the manual now indicates that "sudoedit" + requires one or more arguments. Debian bug #571621. +- Pack /usr/sbin/{sudo_logsrvd,sudo_sendlog} binaries and their + manpages +- Pack /usr/lib/sudo/sudo/{audit_json.so,sample_approval.so} plugins +- Pack /etc/sudo.conf and /etc/sudo_logsrvd.conf configuration files +- Run spec-cleaner + +------------------------------------------------------------------- Old: ---- sudo-1.8.31p1.tar.gz sudo-1.8.31p1.tar.gz.sig New: ---- sudo-1.9.0rc2.tar.gz sudo-1.9.0rc2.tar.gz.sig ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ sudo.spec ++++++ --- /var/tmp/diff_new_pack.eytjKE/_old 2020-04-22 20:43:11.902241788 +0200 +++ /var/tmp/diff_new_pack.eytjKE/_new 2020-04-22 20:43:11.906241797 +0200 @@ -21,16 +21,15 @@ %else %define use_usretc 1 %endif - Name: sudo -Version: 1.8.31p1 +Version: 1.9.0rc2 Release: 0 Summary: Execute some commands as root License: ISC Group: System/Base URL: https://www.sudo.ws/ -Source0: https://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz -Source1: https://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz.sig +Source0: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz +Source1: https://www.sudo.ws/dist/beta/%{name}-%{version}.tar.gz.sig Source2: %{name}.keyring Source3: sudo.pamd Source4: sudo-i.pamd @@ -45,6 +44,7 @@ BuildRequires: libselinux-devel BuildRequires: openldap2-devel BuildRequires: pam-devel +BuildRequires: python3-devel BuildRequires: systemd-rpm-macros BuildRequires: zlib-devel Requires(pre): coreutils @@ -103,6 +103,7 @@ --with-tty-tickets \ --enable-shell-sets-home \ --enable-warnings \ + --enable-python \ --with-sendmail=%{_sbindir}/sendmail \ --with-sudoers-mode=0440 \ --with-env-editor \ @@ -111,7 +112,7 @@ --with-rundir=%{_localstatedir}/lib/sudo \ --with-sssd # -B required to make every build give the same result - maybe from bad build deps in Makefiles? -make -B %{?_smp_mflags} +%make_build -B %install %make_install install_uid=`id -u` install_gid=`id -g` @@ -143,15 +144,14 @@ %pre # move outdated pam.d/*.rpmsave files away for i in sudo sudo-i ; do - test -f /etc/pam.d/${i}.rpmsave && mv -v /etc/pam.d/${i}.rpmsave /etc/pam.d/${i}.rpmsave.old ||: + test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||: done %posttrans # Migration to /usr/etc. for i in sudo sudo-i ; do - test -f /etc/pam.d/${i}.rpmsave && mv -v /etc/pam.d/${i}.rpmsave /etc/pam.d/${i} ||: + test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||: done - %endif %post @@ -178,9 +178,16 @@ %{_mandir}/man8/sudoedit.8%{?ext_man} %{_mandir}/man8/sudoreplay.8%{?ext_man} %{_mandir}/man8/visudo.8%{?ext_man} +%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man} +%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man} +%{_mandir}/man8/sudo_logsrvd.8%{?ext_man} +%{_mandir}/man8/sudo_plugin_python.8%{?ext_man} +%{_mandir}/man8/sudo_sendlog.8%{?ext_man} %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers %dir %{_sysconfdir}/sudoers.d +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf +%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf %if %{defined use_usretc} %{_distconfdir}/pam.d/sudo %{_distconfdir}/pam.d/sudo-i @@ -196,6 +203,8 @@ %{_bindir}/sudoreplay %{_bindir}/cvtsudoers %{_sbindir}/visudo +%{_sbindir}/sudo_logsrvd +%{_sbindir}/sudo_sendlog %dir %{_libexecdir}/%{name} %{_libexecdir}/%{name}/sesh %{_libexecdir}/%{name}/sudo_noexec.so @@ -203,6 +212,9 @@ %{_libexecdir}/%{name}/%{name}/sudoers.so %{_libexecdir}/%{name}/%{name}/group_file.so %{_libexecdir}/%{name}/%{name}/system_group.so +%{_libexecdir}/%{name}/%{name}/audit_json.so +%{_libexecdir}/%{name}/%{name}/sample_approval.so +%{_libexecdir}/%{name}/%{name}/python_plugin.so %{_libexecdir}/%{name}/libsudo_util.so.* %attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name} %attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts
