Merge sudo-selinux 1.9.15.p5-2 update

Merge AUR commit cf1df1e:
https://aur.archlinux.org/cgit/aur.git/commit/?h=sudo-selinux&id=cf1df1e84794c7996dec2a2c86eb2a8a35f11379

sudo-selinux/.SRCINFO

@@ -1,7 +1,7 @@
 pkgbase = sudo-selinux
 	pkgdesc = Give certain users the ability to run some commands as root - SELinux support
 	pkgver = 1.9.15.p5
-	pkgrel = 1
+	pkgrel = 2
 	url = https://www.sudo.ws/sudo/
 	install = sudo.install
 	arch = x86_64
@@ -14,8 +14,8 @@ pkgbase = sudo-selinux
 	depends = libldap
 	depends = zlib
 	depends = libselinux
-	provides = sudo=1.9.15.p5-1
-	provides = selinux-sudo=1.9.15.p5-1
+	provides = sudo=1.9.15.p5-2
+	provides = selinux-sudo=1.9.15.p5-2
 	conflicts = sudo
 	conflicts = selinux-sudo
 	backup = etc/pam.d/sudo
@@ -24,12 +24,18 @@ pkgbase = sudo-selinux
 	backup = etc/sudoers
 	source = https://www.sudo.ws/sudo/dist/sudo-1.9.15p5.tar.gz
 	source = https://www.sudo.ws/sudo/dist/sudo-1.9.15p5.tar.gz.sig
+	source = sudo-selinux-preserve-editor-for-visudo.patch::https://github.com/sudo-project/sudo/commit/1db1453556e1.patch
+	source = sudo-selinux-enable-secure_path-by-default.patch::https://github.com/sudo-project/sudo/commit/e0e24456bc3f.patch
+	source = sudo-selinux-add-with-secure-path-value-option.patch::https://github.com/sudo-project/sudo/commit/e24737eac90f.patch
 	source = sudo_logsrvd.service
 	source = sudo.pam
 	validpgpkeys = 59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB
 	sha256sums = 558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558
 	sha256sums = SKIP
-	sha256sums = 8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1
+	sha256sums = 321aa5f1b482ffd5728c07477a51ce3de1e48b9db13f4578e662c227c705826c
+	sha256sums = baacece8e854bed47276925715ae8f3c2771ad72821006b3a26796fe154e1130
+	sha256sums = 78cc8346d79b359d89e8b2e27485eab8b076fab72e0c74832fa994407c3c6147
+	sha256sums = bd4bc2f5d85cbe14d7e7acc5008cb4fe62c38de7d42dc6876c87bfaa273c0a6e
 	sha256sums = d1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2
 
 pkgname = sudo-selinux

sudo-selinux/PKGBUILD

@@ -1,4 +1,4 @@
-# Maintainer: Evangelos Foutras <evangelos@foutrelis.com>
+# Maintainer: Evangelos Foutras <foutrelis@archlinux.org>
 # Contributor: Allan McRae <[email protected]>
 # Contributor: Tom Newsom <[email protected]>
 # SELinux Maintainer: Nicolas Iooss (nicolas <dot> iooss <at> m4x <dot> org)
@@ -10,7 +10,7 @@
 
 pkgname=sudo-selinux
 _sudover=1.9.15p5
-pkgrel=1
+pkgrel=2
 pkgver=${_sudover/p/.p}
 pkgdesc="Give certain users the ability to run some commands as root - SELinux support"
 arch=('x86_64' 'aarch64')
@@ -27,16 +27,25 @@ backup=('etc/pam.d/sudo'
         'etc/sudoers')
 install=${pkgname/-selinux}.install
 source=(https://www.sudo.ws/sudo/dist/${pkgname/-selinux}-$_sudover.tar.gz{,.sig}
+        $pkgname-preserve-editor-for-visudo.patch::https://github.com/sudo-project/sudo/commit/1db1453556e1.patch
+        $pkgname-enable-secure_path-by-default.patch::https://github.com/sudo-project/sudo/commit/e0e24456bc3f.patch
+        $pkgname-add-with-secure-path-value-option.patch::https://github.com/sudo-project/sudo/commit/e24737eac90f.patch
         sudo_logsrvd.service
         sudo.pam)
 sha256sums=('558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558'
             'SKIP'
-            '8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1'
+            '321aa5f1b482ffd5728c07477a51ce3de1e48b9db13f4578e662c227c705826c'
+            'baacece8e854bed47276925715ae8f3c2771ad72821006b3a26796fe154e1130'
+            '78cc8346d79b359d89e8b2e27485eab8b076fab72e0c74832fa994407c3c6147'
+            'bd4bc2f5d85cbe14d7e7acc5008cb4fe62c38de7d42dc6876c87bfaa273c0a6e'
             'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2')
 validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB')
 
 prepare() {
   cd "${pkgname/-selinux}-$_sudover"
+  patch -Np1 -i ../$pkgname-preserve-editor-for-visudo.patch
+  patch -Np1 -F3 -i ../$pkgname-enable-secure_path-by-default.patch
+  patch -Np1 -i ../$pkgname-add-with-secure-path-value-option.patch
 }
 
 build() {
@@ -56,6 +65,7 @@ build() {
     --with-ldap-conf-file=/etc/openldap/ldap.conf \
     --with-env-editor \
     --with-passprompt="[sudo] password for %p: " \
+    --with-secure-path-value=/usr/local/sbin:/usr/local/bin:/usr/bin \
     --with-all-insults \
     --with-selinux
   make

sudo-selinux/sudo-selinux-add-with-secure-path-value-option.patch

@@ -0,0 +1,91 @@
+From e24737eac90f89a41f1f6457fa71b5996c4418b1 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <[email protected]>
+Date: Sun, 28 Jul 2024 15:44:07 -0600
+Subject: [PATCH] Add --with-secure-path-value option
+
+This can be used by package maintainers to set the value of secure_path
+that is substituted into the default sudoers file.
+---
+ INSTALL.md   |  7 +++++++
+ configure    | 16 ++++++++++++++++
+ configure.ac |  8 ++++++++
+ 3 files changed, 31 insertions(+)
+
+diff --git a/INSTALL.md b/INSTALL.md
+index 2261504b6c..fe2366be0c 100644
+--- a/INSTALL.md
++++ b/INSTALL.md
+@@ -1003,6 +1003,13 @@ Defaults are listed in brackets after the description.
+         is used.  
+         Sudoers option: secure_path
+
++    --with-secure-path-value[=PATH]
++        Sets the value of "secure_path" that is substituted into
++        the default sudoers file.  This option is intended to be
++        used by package maintainers who wish to set "secure_path"
++        to a system-specific value in the default sudoers file.
++        It does not actually enable "secure-path".
++
+     --with-sendmail=PATH
+         Override configure's guess as to the location of sendmail.  
+         Sudoers option: mailerpath
+diff --git a/configure b/configure
+index 42cf004725..18eb2bdf27 100755
+--- a/configure
++++ b/configure
+@@ -1002,6 +1002,7 @@ with_nsswitch
+ with_ldap
+ with_ldap_conf_file
+ with_ldap_secret_file
++with_secure_path_value
+ with_secure_path
+ with_interfaces
+ with_askpass
+@@ -1883,6 +1884,8 @@ Optional Packages:
+   --with-ldap[=DIR]       enable LDAP support
+   --with-ldap-conf-file   path to LDAP configuration file
+   --with-ldap-secret-file path to LDAP secret password file
++  --with-secure-path-value
++                          value of secure_path in the default sudoers file
+   --with-secure-path      override the user's path with a built-in one
+   --without-interfaces    don't try to read the ip addr of network interfaces
+   --with-askpass=PATH     Fully qualified pathname of askpass helper
+@@ -6307,6 +6310,19 @@ EOF
+
+
+
++# Check whether --with-secure-path-value was given.
++if test ${with_secure_path_value+y}
++then :
++  withval=$with_secure_path_value; case $with_secure_path_value in
++    yes|no)	as_fn_error $? "must give --secure-path-value an argument." "$LINENO" 5
++		;;
++    *)		secure_path="$with_secure_path_value"
++		;;
++esac
++fi
++
++
++
+ # Check whether --with-secure-path was given.
+ if test ${with_secure_path+y}
+ then :
+diff --git a/configure.ac b/configure.ac
+index 1a8c0b3180..28b63ef0d8 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -1068,6 +1068,14 @@ AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path t
+ test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
+ SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
+
++AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file])],
++[case $with_secure_path_value in
++    yes|no)	AC_MSG_ERROR([must give --secure-path-value an argument.])
++		;;
++    *)		secure_path="$with_secure_path_value"
++		;;
++esac])
++
+ AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])],
+ [case $with_secure_path in
+     yes)	with_secure_path="$secure_path"

sudo-selinux/sudo-selinux-enable-secure_path-by-default.patch

@@ -0,0 +1,171 @@
+From e0e24456bc3fcdf5506660be69186e01583ff383 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <[email protected]>
+Date: Mon, 10 Jun 2024 20:37:05 -0600
+Subject: [PATCH] Enable secure_path in default sudoers file.
+
+It is still disabled by default in the sudo binary.
+---
+ INSTALL.md                 |  3 ++-
+ configure                  | 22 ++++++++++++++--------
+ configure.ac               | 15 +++++++++------
+ docs/sudoers.mdoc.in       |  2 +-
+ plugins/sudoers/sudoers.in |  8 +++++---
+ 5 files changed, 31 insertions(+), 19 deletions(-)
+
+diff --git a/INSTALL.md b/INSTALL.md
+index 59c67b8366..2261504b6c 100644
+--- a/INSTALL.md
++++ b/INSTALL.md
+@@ -999,7 +999,8 @@ Defaults are listed in brackets after the description.
+         be separate from the "user path."  You will need to customize the
+         path for your site.  This is not applied to users in the group
+         specified by --with-exemptgroup.  If you do not specify a path,
+-        "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used.  
++        "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
++        is used.  
+         Sudoers option: secure_path
+
+     --with-sendmail=PATH
+diff --git a/configure b/configure
+index 237d5cf580..e7f1b1d91e 100755
+--- a/configure
++++ b/configure
+@@ -733,6 +733,7 @@ plugindir
+ pam_login_service
+ pam_session
+ editor
++secure_path_set
+ secure_path
+ netsvc_conf
+ nsswitch_conf
+@@ -3680,6 +3681,7 @@ sudoers_path='$(sysconfdir)/sudoers'
+
+
+
++
+
+
+ #
+@@ -3727,7 +3729,8 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so"
+ sesh_file="$libexecdir/sudo/sesh"
+ visudo="$sbindir/visudo"
+ nsswitch_conf=/etc/nsswitch.conf
+-secure_path="not set"
++secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
++secure_path_set="disabled"
+ pam_session=on
+ pam_login_service=sudo
+ plugindir="$libexecdir/sudo"
+@@ -6308,19 +6311,22 @@ EOF
+ if test ${with_secure_path+y}
+ then :
+   withval=$with_secure_path; case $with_secure_path in
+-    yes)	with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
+-		printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h
+-
+-		secure_path="set to $with_secure_path"
++    yes)	with_secure_path="$secure_path"
+ 		;;
+     no)		;;
+-    *)		printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h
+-
+-		secure_path="set to $with_secure_path"
++    *)		secure_path="$with_secure_path"
+ 		;;
+ esac
+ fi
+
++if test "${with_secure_path-no}" != "no"
++then :
++
++	printf "%s\n" "#define SECURE_PATH \"$secure_path\"" >>confdefs.h
++
++	secure_path_set="set to $secure_path"
++
++fi
+
+
+ # Check whether --with-interfaces was given.
+diff --git a/configure.ac b/configure.ac
+index f4d96eccd0..61b2115300 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -177,6 +177,7 @@ AC_SUBST([sssd_lib])
+ AC_SUBST([nsswitch_conf])
+ AC_SUBST([netsvc_conf])
+ AC_SUBST([secure_path])
++AC_SUBST([secure_path_set])
+ AC_SUBST([editor])
+ AC_SUBST([pam_session])
+ AC_SUBST([pam_login_service])
+@@ -228,7 +229,8 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so"
+ sesh_file="$libexecdir/sudo/sesh"
+ visudo="$sbindir/visudo"
+ nsswitch_conf=/etc/nsswitch.conf
+-secure_path="not set"
++secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
++secure_path_set="disabled"
+ pam_session=on
+ pam_login_service=sudo
+ plugindir="$libexecdir/sudo"
+@@ -1068,15 +1070,16 @@ SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret
+
+ AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])],
+ [case $with_secure_path in
+-    yes)	with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc"
+-		AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
+-		secure_path="set to $with_secure_path"
++    yes)	with_secure_path="$secure_path"
+ 		;;
+     no)		;;
+-    *)		AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path")
+-		secure_path="set to $with_secure_path"
++    *)		secure_path="$with_secure_path"
+ 		;;
+ esac])
++AS_IF([test "${with_secure_path-no}" != "no"], [
++	AC_DEFINE_UNQUOTED(SECURE_PATH, "$secure_path")
++	secure_path_set="set to $secure_path"
++])
+
+ AC_ARG_WITH(interfaces, [AS_HELP_STRING([--without-interfaces], [don't try to read the ip addr of network interfaces])],
+ [case $with_interfaces in
+diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in
+index ef9657f139..f53f1e0e01 100644
+--- a/docs/sudoers.mdoc.in
++++ b/docs/sudoers.mdoc.in
+@@ -5305,7 +5305,7 @@ Users in the group specified by the
+ .Em exempt_group
+ option are not affected by
+ .Em secure_path .
+-This option is @secure_path@ by default.
++This option is @secure_path_set@ by default.
+ .It syslog
+ Syslog facility if syslog is being used for logging (negate to
+ disable syslog logging).
+diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in
+index 703c9d5f01..b0d464160f 100644
+--- a/plugins/sudoers/sudoers.in
++++ b/plugins/sudoers/sudoers.in
+@@ -45,6 +45,11 @@
+ ## To preserve these for all commands, remove the "!visudo" qualifier.
+ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
+ ##
++## Use a hard-coded PATH instead of the user's to find commands.
++## This also helps prevent poorly written scripts from running
++## artbitrary commands under sudo.
++Defaults secure_path="@secure_path@"
++##
+ ## You may wish to keep some of the following environment variables
+ ## when running commands via sudo.
+ ##
+@@ -69,9 +74,6 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
+ ## this may allow users to subvert the command being run via sudo.
+ # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+ ##
+-## Uncomment to use a hard-coded PATH instead of the user's to find commands
+-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+-##
+ ## Uncomment to disable "use_pty" when running commands as root.
+ ## Commands run as non-root users will run in a pseudo-terminal,
+ ## not the user's own terminal, to prevent command injection.