summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJohn Klug <john.klug@multitech.com>2019-07-05 13:45:01 -0500
committerJohn Klug <john.klug@multitech.com>2019-07-05 13:45:01 -0500
commit52fd1d2e08c0a456cf0023e3adb55b61db6df51a (patch)
tree42869ce3c8ca4a7b6c10aa2a788efb2089a6c664
parentaa92e2fd870f7cd75b49e0dc4b0a67d68ee7b788 (diff)
downloadmeta-mlinux-52fd1d2e08c0a456cf0023e3adb55b61db6df51a.tar.gz
meta-mlinux-52fd1d2e08c0a456cf0023e3adb55b61db6df51a.tar.bz2
meta-mlinux-52fd1d2e08c0a456cf0023e3adb55b61db6df51a.zip
Upgrade sudo to 1.8.27 to fix various vulnerabilities
-rw-r--r--recipes-extended/sudo/files/sudo.pam6
-rw-r--r--recipes-extended/sudo/sudo.inc52
-rw-r--r--recipes-extended/sudo/sudo/0001-Include-sys-types.h-for-id_t-definition.patch34
-rw-r--r--recipes-extended/sudo/sudo_1.8.27.bb45
4 files changed, 137 insertions, 0 deletions
diff --git a/recipes-extended/sudo/files/sudo.pam b/recipes-extended/sudo/files/sudo.pam
new file mode 100644
index 0000000..515eab0
--- /dev/null
+++ b/recipes-extended/sudo/files/sudo.pam
@@ -0,0 +1,6 @@
+#%PAM-1.0
+auth include common-auth
+account include common-account
+password include common-password
+session optional pam_keyinit.so revoke
+session required pam_limits.so
diff --git a/recipes-extended/sudo/sudo.inc b/recipes-extended/sudo/sudo.inc
new file mode 100644
index 0000000..51748b1
--- /dev/null
+++ b/recipes-extended/sudo/sudo.inc
@@ -0,0 +1,52 @@
+SUMMARY = "Provide limited super user privileges to specific users"
+DESCRIPTION = "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments."
+HOMEPAGE = "http://www.sudo.ws"
+BUGTRACKER = "http://www.sudo.ws/bugs/"
+SECTION = "admin"
+LICENSE = "ISC & BSD & Zlib"
+LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=6c76b73603ac7763ab0516ebfbe67b42 \
+ file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=4a162fc04b86b03f5632180fe6076cda \
+ file://lib/util/reallocarray.c;beginline=3;endline=16;md5=85b0905b795d4d58bf2e00635649eec6 \
+ file://lib/util/fnmatch.c;beginline=3;endline=27;md5=67f83ee9bd456557397082f8f1be0efd \
+ file://lib/util/getcwd.c;beginline=5;endline=27;md5=449af4cc57fc7d46f42090608ba3e681 \
+ file://lib/util/glob.c;beginline=6;endline=31;md5=5872733146b9eb0deb79e1f664815b85 \
+ file://lib/util/snprintf.c;beginline=6;endline=34;md5=c82c1b3a5c32e08545c9ec5d71e41e50 \
+ file://include/sudo_queue.h;beginline=5;endline=27;md5=449af4cc57fc7d46f42090608ba3e681 \
+ file://lib/util/inet_pton.c;beginline=3;endline=17;md5=3970ab0518ab79cbd0bafb697f10b33a \
+ file://lib/util/arc4random.c;beginline=3;endline=20;md5=15bdc89c1b003fa4d7353e6296ebfd68 \
+ file://lib/util/arc4random_uniform.c;beginline=3;endline=17;md5=31e630ac814d692fd0ab7a942659b46f \
+ file://lib/util/getentropy.c;beginline=1;endline=19;md5=9f1a275ecd44cc264a2a4d5e06a75292 \
+ "
+
+inherit autotools
+
+PACKAGECONFIG ??= ""
+PACKAGECONFIG[zlib] = "--enable-zlib,--disable-zlib,zlib"
+PACKAGECONFIG[pam-wheel] = ",,,pam-plugin-wheel"
+
+CONFFILES_${PN} = "${sysconfdir}/sudoers"
+
+EXTRA_OECONF = "--with-editor=/bin/vi --with-env-editor"
+
+EXTRA_OECONF_append_libc-musl = " --disable-hardening "
+
+# mksigname/mksiglist are used on build host to generate source files
+do_compile_prepend () {
+ echo "JAK: Correct sudo.inc"
+ # Remove build host references from sudo_usage.h
+ sed -i \
+ -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \
+ -e 's,--build=${BUILD_SYS},,g' \
+ -e 's,--host=${HOST_SYS},,g' \
+ ${B}/src/sudo_usage.h
+ oe_runmake SSP_CFLAGS="" SSP_LDFLAGS="" CC="$BUILD_CC" CFLAGS="$BUILD_CFLAGS" CPPFLAGS="$BUILD_CPPFLAGS -I${S}/include -I${S} -I${B}" -C lib/util mksigname mksiglist
+}
+
+# Explicitly create ${localstatedir}/lib before do_install to ensure
+# the directory is accessible by all users. Otherwise the mkinstalldirs
+# script (from sudo) will recursively create ${localstatedir}/lib/sudo
+# and then chmod each directory with 0700 permissions, which isn't what
+# we want (i.e, users would not be able to access /var/lib).
+do_install_prepend (){
+ mkdir -p ${D}/${localstatedir}/lib
+}
diff --git a/recipes-extended/sudo/sudo/0001-Include-sys-types.h-for-id_t-definition.patch b/recipes-extended/sudo/sudo/0001-Include-sys-types.h-for-id_t-definition.patch
new file mode 100644
index 0000000..eb36cd4
--- /dev/null
+++ b/recipes-extended/sudo/sudo/0001-Include-sys-types.h-for-id_t-definition.patch
@@ -0,0 +1,34 @@
+From 386e2c2fa2ab2e02ef71c268a57205139be329ab Mon Sep 17 00:00:00 2001
+From: Khem Raj <raj.khem@gmail.com>
+Date: Mon, 31 Aug 2015 07:07:49 +0000
+Subject: [PATCH] Include sys/types.h for id_t definition
+
+/sudo_util.h:219:14: error: unknown type name 'id_t'
+ __dso_public id_t sudo_strtoid_v1(const char *str, const char *sep,
+ char **endp, const char **errstr);
+ ^
+ make[1]: *** [preserve_fds.o] Error 1
+
+Signed-off-by: Khem Raj <raj.khem@gmail.com>
+---
+Upstream-Status: Pending
+
+ include/sudo_util.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/include/sudo_util.h b/include/sudo_util.h
+index 89c9f89..ac0855a 100644
+--- a/include/sudo_util.h
++++ b/include/sudo_util.h
+@@ -17,6 +17,8 @@
+ #ifndef SUDO_UTIL_H
+ #define SUDO_UTIL_H
+
++#include <sys/types.h>
++
+ #ifdef HAVE_STDBOOL_H
+ # include <stdbool.h>
+ #else
+--
+2.5.1
+
diff --git a/recipes-extended/sudo/sudo_1.8.27.bb b/recipes-extended/sudo/sudo_1.8.27.bb
new file mode 100644
index 0000000..8f0a144
--- /dev/null
+++ b/recipes-extended/sudo/sudo_1.8.27.bb
@@ -0,0 +1,45 @@
+require sudo.inc
+
+SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \
+ file://0001-Include-sys-types.h-for-id_t-definition.patch \
+ "
+
+PAM_SRC_URI = "file://sudo.pam"
+
+SRC_URI[md5sum] = "b5c184b13b6b5de32af630af2fd013fd"
+SRC_URI[sha256sum] = "7beb68b94471ef56d8a1036dbcdc09a7b58a949a68ffce48b83f837dd33e2ec0"
+
+DEPENDS += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
+RDEPENDS_${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}"
+
+EXTRA_OECONF += " \
+ ac_cv_type_rsize_t=no \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \
+ ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--enable-tmpfiles.d=${libdir}/tmpfiles.d', '--disable-tmpfiles.d', d)} \
+ "
+
+do_install_append () {
+ if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then
+ install -D -m 644 ${WORKDIR}/sudo.pam ${D}/${sysconfdir}/pam.d/sudo
+ fi
+ if ${@bb.utils.contains('PACKAGECONFIG', 'pam-wheel', 'true', 'false', d)} ; then
+ echo 'auth required pam_wheel.so use_uid' >>${D}${sysconfdir}/pam.d/sudo
+ sed -i 's/# \(%wheel ALL=(ALL) ALL\)/\1/' ${D}${sysconfdir}/sudoers
+ fi
+
+ chmod 4111 ${D}${bindir}/sudo
+ chmod 0440 ${D}${sysconfdir}/sudoers
+
+ # Explicitly remove the /run directory to avoid QA error
+ rmdir -p --ignore-fail-on-non-empty ${D}/run/sudo
+}
+
+FILES_${PN} += "${libdir}/tmpfiles.d"
+FILES_${PN}-dev += "${libexecdir}/${BPN}/lib*${SOLIBSDEV} ${libexecdir}/${BPN}/*.la \
+ ${libexecdir}/lib*${SOLIBSDEV} ${libexecdir}/*.la"
+
+
+
+
+