From 841e5ff8666789ab6b07b365be4a2fa0ecf50add Mon Sep 17 00:00:00 2001 From: John Klug Date: Fri, 5 Jul 2019 13:45:01 -0500 Subject: Upgrade sudo to 1.8.27 to fix various vulnerabilities --- recipes-extended/sudo/files/sudo.pam | 6 +++ recipes-extended/sudo/sudo.inc | 52 ++++++++++++++++++++++ ...1-Include-sys-types.h-for-id_t-definition.patch | 34 ++++++++++++++ recipes-extended/sudo/sudo_1.8.27.bb | 45 +++++++++++++++++++ 4 files changed, 137 insertions(+) create mode 100644 recipes-extended/sudo/files/sudo.pam create mode 100644 recipes-extended/sudo/sudo.inc create mode 100644 recipes-extended/sudo/sudo/0001-Include-sys-types.h-for-id_t-definition.patch create mode 100644 recipes-extended/sudo/sudo_1.8.27.bb diff --git a/recipes-extended/sudo/files/sudo.pam b/recipes-extended/sudo/files/sudo.pam new file mode 100644 index 0000000..515eab0 --- /dev/null +++ b/recipes-extended/sudo/files/sudo.pam @@ -0,0 +1,6 @@ +#%PAM-1.0 +auth include common-auth +account include common-account +password include common-password +session optional pam_keyinit.so revoke +session required pam_limits.so diff --git a/recipes-extended/sudo/sudo.inc b/recipes-extended/sudo/sudo.inc new file mode 100644 index 0000000..51748b1 --- /dev/null +++ b/recipes-extended/sudo/sudo.inc @@ -0,0 +1,52 @@ +SUMMARY = "Provide limited super user privileges to specific users" +DESCRIPTION = "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments." +HOMEPAGE = "http://www.sudo.ws" +BUGTRACKER = "http://www.sudo.ws/bugs/" +SECTION = "admin" +LICENSE = "ISC & BSD & Zlib" +LIC_FILES_CHKSUM = "file://doc/LICENSE;md5=6c76b73603ac7763ab0516ebfbe67b42 \ + file://plugins/sudoers/redblack.c;beginline=1;endline=46;md5=4a162fc04b86b03f5632180fe6076cda \ + file://lib/util/reallocarray.c;beginline=3;endline=16;md5=85b0905b795d4d58bf2e00635649eec6 \ + file://lib/util/fnmatch.c;beginline=3;endline=27;md5=67f83ee9bd456557397082f8f1be0efd \ + file://lib/util/getcwd.c;beginline=5;endline=27;md5=449af4cc57fc7d46f42090608ba3e681 \ + file://lib/util/glob.c;beginline=6;endline=31;md5=5872733146b9eb0deb79e1f664815b85 \ + file://lib/util/snprintf.c;beginline=6;endline=34;md5=c82c1b3a5c32e08545c9ec5d71e41e50 \ + file://include/sudo_queue.h;beginline=5;endline=27;md5=449af4cc57fc7d46f42090608ba3e681 \ + file://lib/util/inet_pton.c;beginline=3;endline=17;md5=3970ab0518ab79cbd0bafb697f10b33a \ + file://lib/util/arc4random.c;beginline=3;endline=20;md5=15bdc89c1b003fa4d7353e6296ebfd68 \ + file://lib/util/arc4random_uniform.c;beginline=3;endline=17;md5=31e630ac814d692fd0ab7a942659b46f \ + file://lib/util/getentropy.c;beginline=1;endline=19;md5=9f1a275ecd44cc264a2a4d5e06a75292 \ + " + +inherit autotools + +PACKAGECONFIG ??= "" +PACKAGECONFIG[zlib] = "--enable-zlib,--disable-zlib,zlib" +PACKAGECONFIG[pam-wheel] = ",,,pam-plugin-wheel" + +CONFFILES_${PN} = "${sysconfdir}/sudoers" + +EXTRA_OECONF = "--with-editor=/bin/vi --with-env-editor" + +EXTRA_OECONF_append_libc-musl = " --disable-hardening " + +# mksigname/mksiglist are used on build host to generate source files +do_compile_prepend () { + echo "JAK: Correct sudo.inc" + # Remove build host references from sudo_usage.h + sed -i \ + -e 's,--with-libtool-sysroot=${STAGING_DIR_TARGET},,g' \ + -e 's,--build=${BUILD_SYS},,g' \ + -e 's,--host=${HOST_SYS},,g' \ + ${B}/src/sudo_usage.h + oe_runmake SSP_CFLAGS="" SSP_LDFLAGS="" CC="$BUILD_CC" CFLAGS="$BUILD_CFLAGS" CPPFLAGS="$BUILD_CPPFLAGS -I${S}/include -I${S} -I${B}" -C lib/util mksigname mksiglist +} + +# Explicitly create ${localstatedir}/lib before do_install to ensure +# the directory is accessible by all users. Otherwise the mkinstalldirs +# script (from sudo) will recursively create ${localstatedir}/lib/sudo +# and then chmod each directory with 0700 permissions, which isn't what +# we want (i.e, users would not be able to access /var/lib). +do_install_prepend (){ + mkdir -p ${D}/${localstatedir}/lib +} diff --git a/recipes-extended/sudo/sudo/0001-Include-sys-types.h-for-id_t-definition.patch b/recipes-extended/sudo/sudo/0001-Include-sys-types.h-for-id_t-definition.patch new file mode 100644 index 0000000..eb36cd4 --- /dev/null +++ b/recipes-extended/sudo/sudo/0001-Include-sys-types.h-for-id_t-definition.patch @@ -0,0 +1,34 @@ +From 386e2c2fa2ab2e02ef71c268a57205139be329ab Mon Sep 17 00:00:00 2001 +From: Khem Raj +Date: Mon, 31 Aug 2015 07:07:49 +0000 +Subject: [PATCH] Include sys/types.h for id_t definition + +/sudo_util.h:219:14: error: unknown type name 'id_t' + __dso_public id_t sudo_strtoid_v1(const char *str, const char *sep, + char **endp, const char **errstr); + ^ + make[1]: *** [preserve_fds.o] Error 1 + +Signed-off-by: Khem Raj +--- +Upstream-Status: Pending + + include/sudo_util.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/include/sudo_util.h b/include/sudo_util.h +index 89c9f89..ac0855a 100644 +--- a/include/sudo_util.h ++++ b/include/sudo_util.h +@@ -17,6 +17,8 @@ + #ifndef SUDO_UTIL_H + #define SUDO_UTIL_H + ++#include ++ + #ifdef HAVE_STDBOOL_H + # include + #else +-- +2.5.1 + diff --git a/recipes-extended/sudo/sudo_1.8.27.bb b/recipes-extended/sudo/sudo_1.8.27.bb new file mode 100644 index 0000000..8f0a144 --- /dev/null +++ b/recipes-extended/sudo/sudo_1.8.27.bb @@ -0,0 +1,45 @@ +require sudo.inc + +SRC_URI = "http://ftp.sudo.ws/sudo/dist/sudo-${PV}.tar.gz \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '${PAM_SRC_URI}', '', d)} \ + file://0001-Include-sys-types.h-for-id_t-definition.patch \ + " + +PAM_SRC_URI = "file://sudo.pam" + +SRC_URI[md5sum] = "b5c184b13b6b5de32af630af2fd013fd" +SRC_URI[sha256sum] = "7beb68b94471ef56d8a1036dbcdc09a7b58a949a68ffce48b83f837dd33e2ec0" + +DEPENDS += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}" +RDEPENDS_${PN} += " ${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam-plugin-limits pam-plugin-keyinit', '', d)}" + +EXTRA_OECONF += " \ + ac_cv_type_rsize_t=no \ + ${@bb.utils.contains('DISTRO_FEATURES', 'pam', '--with-pam', '--without-pam', d)} \ + ${@bb.utils.contains('DISTRO_FEATURES', 'systemd', '--enable-tmpfiles.d=${libdir}/tmpfiles.d', '--disable-tmpfiles.d', d)} \ + " + +do_install_append () { + if [ "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'pam', '', d)}" = "pam" ]; then + install -D -m 644 ${WORKDIR}/sudo.pam ${D}/${sysconfdir}/pam.d/sudo + fi + if ${@bb.utils.contains('PACKAGECONFIG', 'pam-wheel', 'true', 'false', d)} ; then + echo 'auth required pam_wheel.so use_uid' >>${D}${sysconfdir}/pam.d/sudo + sed -i 's/# \(%wheel ALL=(ALL) ALL\)/\1/' ${D}${sysconfdir}/sudoers + fi + + chmod 4111 ${D}${bindir}/sudo + chmod 0440 ${D}${sysconfdir}/sudoers + + # Explicitly remove the /run directory to avoid QA error + rmdir -p --ignore-fail-on-non-empty ${D}/run/sudo +} + +FILES_${PN} += "${libdir}/tmpfiles.d" +FILES_${PN}-dev += "${libexecdir}/${BPN}/lib*${SOLIBSDEV} ${libexecdir}/${BPN}/*.la \ + ${libexecdir}/lib*${SOLIBSDEV} ${libexecdir}/*.la" + + + + + -- cgit v1.2.3