diff --git a/sudo-selinux/.SRCINFO b/sudo-selinux/.SRCINFO index 90f75f4c..e81fe69a 100644 --- a/sudo-selinux/.SRCINFO +++ b/sudo-selinux/.SRCINFO @@ -1,7 +1,7 @@ pkgbase = sudo-selinux pkgdesc = Give certain users the ability to run some commands as root - SELinux support pkgver = 1.9.15.p5 - pkgrel = 1 + pkgrel = 2 url = https://www.sudo.ws/sudo/ install = sudo.install arch = x86_64 @@ -14,8 +14,8 @@ pkgbase = sudo-selinux depends = libldap depends = zlib depends = libselinux - provides = sudo=1.9.15.p5-1 - provides = selinux-sudo=1.9.15.p5-1 + provides = sudo=1.9.15.p5-2 + provides = selinux-sudo=1.9.15.p5-2 conflicts = sudo conflicts = selinux-sudo backup = etc/pam.d/sudo @@ -24,12 +24,18 @@ pkgbase = sudo-selinux backup = etc/sudoers source = https://www.sudo.ws/sudo/dist/sudo-1.9.15p5.tar.gz source = https://www.sudo.ws/sudo/dist/sudo-1.9.15p5.tar.gz.sig + source = sudo-selinux-preserve-editor-for-visudo.patch::https://github.com/sudo-project/sudo/commit/1db1453556e1.patch + source = sudo-selinux-enable-secure_path-by-default.patch::https://github.com/sudo-project/sudo/commit/e0e24456bc3f.patch + source = sudo-selinux-add-with-secure-path-value-option.patch::https://github.com/sudo-project/sudo/commit/e24737eac90f.patch source = sudo_logsrvd.service source = sudo.pam validpgpkeys = 59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB sha256sums = 558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558 sha256sums = SKIP - sha256sums = 8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1 + sha256sums = 321aa5f1b482ffd5728c07477a51ce3de1e48b9db13f4578e662c227c705826c + sha256sums = baacece8e854bed47276925715ae8f3c2771ad72821006b3a26796fe154e1130 + sha256sums = 78cc8346d79b359d89e8b2e27485eab8b076fab72e0c74832fa994407c3c6147 + sha256sums = bd4bc2f5d85cbe14d7e7acc5008cb4fe62c38de7d42dc6876c87bfaa273c0a6e sha256sums = d1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2 pkgname = sudo-selinux diff --git a/sudo-selinux/PKGBUILD b/sudo-selinux/PKGBUILD index 1343dbc7..abea8fe9 100644 --- a/sudo-selinux/PKGBUILD +++ b/sudo-selinux/PKGBUILD @@ -1,4 +1,4 @@ -# Maintainer: Evangelos Foutras +# Maintainer: Evangelos Foutras # Contributor: Allan McRae # Contributor: Tom Newsom # SELinux Maintainer: Nicolas Iooss (nicolas iooss m4x org) @@ -10,7 +10,7 @@ pkgname=sudo-selinux _sudover=1.9.15p5 -pkgrel=1 +pkgrel=2 pkgver=${_sudover/p/.p} pkgdesc="Give certain users the ability to run some commands as root - SELinux support" arch=('x86_64' 'aarch64') @@ -27,16 +27,25 @@ backup=('etc/pam.d/sudo' 'etc/sudoers') install=${pkgname/-selinux}.install source=(https://www.sudo.ws/sudo/dist/${pkgname/-selinux}-$_sudover.tar.gz{,.sig} + $pkgname-preserve-editor-for-visudo.patch::https://github.com/sudo-project/sudo/commit/1db1453556e1.patch + $pkgname-enable-secure_path-by-default.patch::https://github.com/sudo-project/sudo/commit/e0e24456bc3f.patch + $pkgname-add-with-secure-path-value-option.patch::https://github.com/sudo-project/sudo/commit/e24737eac90f.patch sudo_logsrvd.service sudo.pam) sha256sums=('558d10b9a1991fb3b9fa7fa7b07ec4405b7aefb5b3cb0b0871dbc81e3a88e558' 'SKIP' - '8b91733b73171827c360a3e01f4692772b78e62ceca0cf0fd4b770aba35081a1' + '321aa5f1b482ffd5728c07477a51ce3de1e48b9db13f4578e662c227c705826c' + 'baacece8e854bed47276925715ae8f3c2771ad72821006b3a26796fe154e1130' + '78cc8346d79b359d89e8b2e27485eab8b076fab72e0c74832fa994407c3c6147' + 'bd4bc2f5d85cbe14d7e7acc5008cb4fe62c38de7d42dc6876c87bfaa273c0a6e' 'd1738818070684a5d2c9b26224906aad69a4fea77aabd960fc2675aee2df1fa2') validpgpkeys=('59D1E9CCBA2B376704FDD35BA9F4C021CEA470FB') prepare() { cd "${pkgname/-selinux}-$_sudover" + patch -Np1 -i ../$pkgname-preserve-editor-for-visudo.patch + patch -Np1 -F3 -i ../$pkgname-enable-secure_path-by-default.patch + patch -Np1 -i ../$pkgname-add-with-secure-path-value-option.patch } build() { @@ -56,6 +65,7 @@ build() { --with-ldap-conf-file=/etc/openldap/ldap.conf \ --with-env-editor \ --with-passprompt="[sudo] password for %p: " \ + --with-secure-path-value=/usr/local/sbin:/usr/local/bin:/usr/bin \ --with-all-insults \ --with-selinux make diff --git a/sudo-selinux/sudo-selinux-add-with-secure-path-value-option.patch b/sudo-selinux/sudo-selinux-add-with-secure-path-value-option.patch new file mode 100644 index 00000000..dbd52033 --- /dev/null +++ b/sudo-selinux/sudo-selinux-add-with-secure-path-value-option.patch @@ -0,0 +1,91 @@ +From e24737eac90f89a41f1f6457fa71b5996c4418b1 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Sun, 28 Jul 2024 15:44:07 -0600 +Subject: [PATCH] Add --with-secure-path-value option + +This can be used by package maintainers to set the value of secure_path +that is substituted into the default sudoers file. +--- + INSTALL.md | 7 +++++++ + configure | 16 ++++++++++++++++ + configure.ac | 8 ++++++++ + 3 files changed, 31 insertions(+) + +diff --git a/INSTALL.md b/INSTALL.md +index 2261504b6c..fe2366be0c 100644 +--- a/INSTALL.md ++++ b/INSTALL.md +@@ -1003,6 +1003,13 @@ Defaults are listed in brackets after the description. + is used. + Sudoers option: secure_path + ++ --with-secure-path-value[=PATH] ++ Sets the value of "secure_path" that is substituted into ++ the default sudoers file. This option is intended to be ++ used by package maintainers who wish to set "secure_path" ++ to a system-specific value in the default sudoers file. ++ It does not actually enable "secure-path". ++ + --with-sendmail=PATH + Override configure's guess as to the location of sendmail. + Sudoers option: mailerpath +diff --git a/configure b/configure +index 42cf004725..18eb2bdf27 100755 +--- a/configure ++++ b/configure +@@ -1002,6 +1002,7 @@ with_nsswitch + with_ldap + with_ldap_conf_file + with_ldap_secret_file ++with_secure_path_value + with_secure_path + with_interfaces + with_askpass +@@ -1883,6 +1884,8 @@ Optional Packages: + --with-ldap[=DIR] enable LDAP support + --with-ldap-conf-file path to LDAP configuration file + --with-ldap-secret-file path to LDAP secret password file ++ --with-secure-path-value ++ value of secure_path in the default sudoers file + --with-secure-path override the user's path with a built-in one + --without-interfaces don't try to read the ip addr of network interfaces + --with-askpass=PATH Fully qualified pathname of askpass helper +@@ -6307,6 +6310,19 @@ EOF + + + ++# Check whether --with-secure-path-value was given. ++if test ${with_secure_path_value+y} ++then : ++ withval=$with_secure_path_value; case $with_secure_path_value in ++ yes|no) as_fn_error $? "must give --secure-path-value an argument." "$LINENO" 5 ++ ;; ++ *) secure_path="$with_secure_path_value" ++ ;; ++esac ++fi ++ ++ ++ + # Check whether --with-secure-path was given. + if test ${with_secure_path+y} + then : +diff --git a/configure.ac b/configure.ac +index 1a8c0b3180..28b63ef0d8 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -1068,6 +1068,14 @@ AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path t + test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file" + SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file]) + ++AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file])], ++[case $with_secure_path_value in ++ yes|no) AC_MSG_ERROR([must give --secure-path-value an argument.]) ++ ;; ++ *) secure_path="$with_secure_path_value" ++ ;; ++esac]) ++ + AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])], + [case $with_secure_path in + yes) with_secure_path="$secure_path" diff --git a/sudo-selinux/sudo-selinux-enable-secure_path-by-default.patch b/sudo-selinux/sudo-selinux-enable-secure_path-by-default.patch new file mode 100644 index 00000000..c58cf90e --- /dev/null +++ b/sudo-selinux/sudo-selinux-enable-secure_path-by-default.patch @@ -0,0 +1,171 @@ +From e0e24456bc3fcdf5506660be69186e01583ff383 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Mon, 10 Jun 2024 20:37:05 -0600 +Subject: [PATCH] Enable secure_path in default sudoers file. + +It is still disabled by default in the sudo binary. +--- + INSTALL.md | 3 ++- + configure | 22 ++++++++++++++-------- + configure.ac | 15 +++++++++------ + docs/sudoers.mdoc.in | 2 +- + plugins/sudoers/sudoers.in | 8 +++++--- + 5 files changed, 31 insertions(+), 19 deletions(-) + +diff --git a/INSTALL.md b/INSTALL.md +index 59c67b8366..2261504b6c 100644 +--- a/INSTALL.md ++++ b/INSTALL.md +@@ -999,7 +999,8 @@ Defaults are listed in brackets after the description. + be separate from the "user path." You will need to customize the + path for your site. This is not applied to users in the group + specified by --with-exemptgroup. If you do not specify a path, +- "/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" is used. ++ "/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ++ is used. + Sudoers option: secure_path + + --with-sendmail=PATH +diff --git a/configure b/configure +index 237d5cf580..e7f1b1d91e 100755 +--- a/configure ++++ b/configure +@@ -733,6 +733,7 @@ plugindir + pam_login_service + pam_session + editor ++secure_path_set + secure_path + netsvc_conf + nsswitch_conf +@@ -3680,6 +3681,7 @@ sudoers_path='$(sysconfdir)/sudoers' + + + ++ + + + # +@@ -3727,7 +3729,8 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so" + sesh_file="$libexecdir/sudo/sesh" + visudo="$sbindir/visudo" + nsswitch_conf=/etc/nsswitch.conf +-secure_path="not set" ++secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ++secure_path_set="disabled" + pam_session=on + pam_login_service=sudo + plugindir="$libexecdir/sudo" +@@ -6308,19 +6311,22 @@ EOF + if test ${with_secure_path+y} + then : + withval=$with_secure_path; case $with_secure_path in +- yes) with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" +- printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h +- +- secure_path="set to $with_secure_path" ++ yes) with_secure_path="$secure_path" + ;; + no) ;; +- *) printf "%s\n" "#define SECURE_PATH \"$with_secure_path\"" >>confdefs.h +- +- secure_path="set to $with_secure_path" ++ *) secure_path="$with_secure_path" + ;; + esac + fi + ++if test "${with_secure_path-no}" != "no" ++then : ++ ++ printf "%s\n" "#define SECURE_PATH \"$secure_path\"" >>confdefs.h ++ ++ secure_path_set="set to $secure_path" ++ ++fi + + + # Check whether --with-interfaces was given. +diff --git a/configure.ac b/configure.ac +index f4d96eccd0..61b2115300 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -177,6 +177,7 @@ AC_SUBST([sssd_lib]) + AC_SUBST([nsswitch_conf]) + AC_SUBST([netsvc_conf]) + AC_SUBST([secure_path]) ++AC_SUBST([secure_path_set]) + AC_SUBST([editor]) + AC_SUBST([pam_session]) + AC_SUBST([pam_login_service]) +@@ -228,7 +229,8 @@ noexec_file="$libexecdir/sudo/sudo_noexec.so" + sesh_file="$libexecdir/sudo/sesh" + visudo="$sbindir/visudo" + nsswitch_conf=/etc/nsswitch.conf +-secure_path="not set" ++secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" ++secure_path_set="disabled" + pam_session=on + pam_login_service=sudo + plugindir="$libexecdir/sudo" +@@ -1068,15 +1070,16 @@ SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret + + AC_ARG_WITH(secure-path, [AS_HELP_STRING([--with-secure-path], [override the user's path with a built-in one])], + [case $with_secure_path in +- yes) with_secure_path="/bin:/usr/ucb:/usr/bin:/usr/sbin:/sbin:/usr/etc:/etc" +- AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path") +- secure_path="set to $with_secure_path" ++ yes) with_secure_path="$secure_path" + ;; + no) ;; +- *) AC_DEFINE_UNQUOTED(SECURE_PATH, "$with_secure_path") +- secure_path="set to $with_secure_path" ++ *) secure_path="$with_secure_path" + ;; + esac]) ++AS_IF([test "${with_secure_path-no}" != "no"], [ ++ AC_DEFINE_UNQUOTED(SECURE_PATH, "$secure_path") ++ secure_path_set="set to $secure_path" ++]) + + AC_ARG_WITH(interfaces, [AS_HELP_STRING([--without-interfaces], [don't try to read the ip addr of network interfaces])], + [case $with_interfaces in +diff --git a/docs/sudoers.mdoc.in b/docs/sudoers.mdoc.in +index ef9657f139..f53f1e0e01 100644 +--- a/docs/sudoers.mdoc.in ++++ b/docs/sudoers.mdoc.in +@@ -5305,7 +5305,7 @@ Users in the group specified by the + .Em exempt_group + option are not affected by + .Em secure_path . +-This option is @secure_path@ by default. ++This option is @secure_path_set@ by default. + .It syslog + Syslog facility if syslog is being used for logging (negate to + disable syslog logging). +diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in +index 703c9d5f01..b0d464160f 100644 +--- a/plugins/sudoers/sudoers.in ++++ b/plugins/sudoers/sudoers.in +@@ -45,6 +45,11 @@ + ## To preserve these for all commands, remove the "!visudo" qualifier. + Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL" + ## ++## Use a hard-coded PATH instead of the user's to find commands. ++## This also helps prevent poorly written scripts from running ++## artbitrary commands under sudo. ++Defaults secure_path="@secure_path@" ++## + ## You may wish to keep some of the following environment variables + ## when running commands via sudo. + ## +@@ -69,9 +74,6 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL" + ## this may allow users to subvert the command being run via sudo. + # Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" + ## +-## Uncomment to use a hard-coded PATH instead of the user's to find commands +-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" +-## + ## Uncomment to disable "use_pty" when running commands as root. + ## Commands run as non-root users will run in a pseudo-terminal, + ## not the user's own terminal, to prevent command injection. diff --git a/sudo-selinux/sudo-selinux-preserve-editor-for-visudo.patch b/sudo-selinux/sudo-selinux-preserve-editor-for-visudo.patch new file mode 100644 index 00000000..36d2cb6a --- /dev/null +++ b/sudo-selinux/sudo-selinux-preserve-editor-for-visudo.patch @@ -0,0 +1,94 @@ +From 1db1453556e1c9c415b676705fe51d49dcd9d8a3 Mon Sep 17 00:00:00 2001 +From: "Todd C. Miller" +Date: Mon, 10 Jun 2024 08:17:17 -0600 +Subject: [PATCH] Preserve SUDO_EDITOR, EDITOR, and VISUAL for visudo. + +--- + configure | 9 +++++++++ + configure.ac | 9 +++++++++ + plugins/sudoers/sudoers.in | 4 ++++ + 3 files changed, 22 insertions(+) + +diff --git a/configure b/configure +index 0f474168fb..237d5cf580 100755 +--- a/configure ++++ b/configure +@@ -827,6 +827,7 @@ PRELOAD_MODULE + INSTALL_NOEXEC + INSTALL_INTERCEPT + INSTALL_BACKUP ++visudo + sesh_file + noexec_file + NOEXECDIR +@@ -3724,6 +3725,7 @@ netsvc_conf=/etc/netsvc.conf + intercept_file="$libexecdir/sudo/sudo_intercept.so" + noexec_file="$libexecdir/sudo/sudo_noexec.so" + sesh_file="$libexecdir/sudo/sesh" ++visudo="$sbindir/visudo" + nsswitch_conf=/etc/nsswitch.conf + secure_path="not set" + pam_session=on +@@ -35839,6 +35841,13 @@ while test X"$noexec_file" != X"$_noexec_file"; do + eval "noexec_file=\"$_noexec_file\"" + done + ++# Update exec_prefix in visudo ++_visudo= ++while test X"$visudo" != X"$_visudo"; do ++ _visudo="$visudo" ++ eval "visudo=\"$_visudo\"" ++done ++ + # Update exec_prefix in sesh_file + _sesh_file= + while test X"$sesh_file" != X"$_sesh_file"; do +diff --git a/configure.ac b/configure.ac +index c50e7d5544..f4d96eccd0 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -75,6 +75,7 @@ AC_SUBST([NOEXECFILE])dnl + AC_SUBST([NOEXECDIR])dnl + AC_SUBST([noexec_file])dnl + AC_SUBST([sesh_file])dnl ++AC_SUBST([visudo])dnl + AC_SUBST([INSTALL_BACKUP])dnl + AC_SUBST([INSTALL_INTERCEPT])dnl + AC_SUBST([INSTALL_NOEXEC])dnl +@@ -225,6 +226,7 @@ netsvc_conf=/etc/netsvc.conf + intercept_file="$libexecdir/sudo/sudo_intercept.so" + noexec_file="$libexecdir/sudo/sudo_noexec.so" + sesh_file="$libexecdir/sudo/sesh" ++visudo="$sbindir/visudo" + nsswitch_conf=/etc/nsswitch.conf + secure_path="not set" + pam_session=on +@@ -4301,6 +4303,13 @@ while test X"$noexec_file" != X"$_noexec_file"; do + eval "noexec_file=\"$_noexec_file\"" + done + ++# Update exec_prefix in visudo ++_visudo= ++while test X"$visudo" != X"$_visudo"; do ++ _visudo="$visudo" ++ eval "visudo=\"$_visudo\"" ++done ++ + # Update exec_prefix in sesh_file + _sesh_file= + while test X"$sesh_file" != X"$_sesh_file"; do +diff --git a/plugins/sudoers/sudoers.in b/plugins/sudoers/sudoers.in +index e79edb400f..703c9d5f01 100644 +--- a/plugins/sudoers/sudoers.in ++++ b/plugins/sudoers/sudoers.in +@@ -41,6 +41,10 @@ + ## + ## Defaults specification + ## ++## Preserve editor environment variables for visudo. ++## To preserve these for all commands, remove the "!visudo" qualifier. ++Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL" ++## + ## You may wish to keep some of the following environment variables + ## when running commands via sudo. + ## diff --git a/sudo-selinux/sudo_logsrvd.service b/sudo-selinux/sudo_logsrvd.service index a62fef1c..06af76d5 100644 --- a/sudo-selinux/sudo_logsrvd.service +++ b/sudo-selinux/sudo_logsrvd.service @@ -2,7 +2,7 @@ Description=Sudo central log server Documentation=man:sudo_logsrvd(8) man:sudo_logsrvd.conf(5) Documentation=https://www.sudo.ws/man.html -After=syslog.target network.target auditd.service +After=network.target auditd.service [Service] ExecStart=/usr/bin/sudo_logsrvd -n