diff options
author | Raphaël Marichez <falco@gentoo.org> | 2008-04-15 11:38:17 +0200 |
---|---|---|
committer | Raphaël Marichez <falco@gentoo.org> | 2008-04-15 11:38:17 +0200 |
commit | f797738dec2de8edda2b4b50b22264451f234e31 (patch) | |
tree | 74957c5b35315179cf6b4211506515f4b1dad8ac /app-admin/sudo/files | |
parent | wrong dir (diff) | |
download | falco-f797738dec2de8edda2b4b50b22264451f234e31.tar.gz falco-f797738dec2de8edda2b4b50b22264451f234e31.tar.bz2 falco-f797738dec2de8edda2b4b50b22264451f234e31.zip |
sudo: own patch for logging the SSH_CLIENT env variable
Signed-off-by: Raphaël Marichez <falco@gentoo.org>
Diffstat (limited to 'app-admin/sudo/files')
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p11 | 1 | ||||
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p12 | 1 | ||||
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 | 3 | ||||
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p9 | 1 | ||||
-rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 | 3 | ||||
-rw-r--r-- | app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff | 43 | ||||
-rw-r--r-- | app-admin/sudo/files/sudo | 6 | ||||
-rw-r--r-- | app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff | 46 | ||||
-rw-r--r-- | app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff | 10 | ||||
-rw-r--r-- | app-admin/sudo/files/sudo-ldap_timelimit.diff | 76 | ||||
-rw-r--r-- | app-admin/sudo/files/sudo-skeychallengeargs.diff | 15 | ||||
-rw-r--r-- | app-admin/sudo/files/sudoers | 55 |
12 files changed, 260 insertions, 0 deletions
diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p11 b/app-admin/sudo/files/digest-sudo-1.6.8_p11 new file mode 100644 index 0000000..a0e605f --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p11 @@ -0,0 +1 @@ +MD5 2b4dbbcec2865adbe12c5693097a6d2c sudo-1.6.8p11.tar.gz 585581 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p12 b/app-admin/sudo/files/digest-sudo-1.6.8_p12 new file mode 100644 index 0000000..b0063e9 --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p12 @@ -0,0 +1 @@ +MD5 b29893c06192df6230dd5f340f3badf5 sudo-1.6.8p12.tar.gz 585643 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 b/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 new file mode 100644 index 0000000..02e4692 --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 @@ -0,0 +1,3 @@ +MD5 b29893c06192df6230dd5f340f3badf5 sudo-1.6.8p12.tar.gz 585643 +RMD160 d7ff9f18ca0973615258c2e975300b94567451d5 sudo-1.6.8p12.tar.gz 585643 +SHA256 56f7d86032538a4a98d90af3742903a09ba16d6db82b593e4a47605f87fa581a sudo-1.6.8p12.tar.gz 585643 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p9 b/app-admin/sudo/files/digest-sudo-1.6.8_p9 new file mode 100644 index 0000000..0629e17 --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p9 @@ -0,0 +1 @@ +MD5 6d0346abd16914956bc7ea4f17fc85fb sudo-1.6.8p9.tar.gz 585509 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 b/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 new file mode 100644 index 0000000..89fdc9a --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 @@ -0,0 +1,3 @@ +MD5 6d0346abd16914956bc7ea4f17fc85fb sudo-1.6.8p9.tar.gz 585509 +RMD160 c1c719504476ab9ac11e0421716d149120463e33 sudo-1.6.8p9.tar.gz 585509 +SHA256 68f5b3e4f5572d816cf4d23616432286da7ba96ac58c17fef23046f12c88f440 sudo-1.6.8p9.tar.gz 585509 diff --git a/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff b/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff new file mode 100644 index 0000000..be6da5c --- /dev/null +++ b/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff @@ -0,0 +1,43 @@ +--- logging.b.c 2006-01-21 15:49:27.000000000 +0100 ++++ logging.c 2006-01-21 18:47:05.000000000 +0100 +@@ -301,9 +301,9 @@ + else + message = "unknown error ; "; + +- easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s", ++ easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s ; SSH_CLIENT=%s", + message, user_tty, user_cwd, *user_runas, user_cmnd, +- user_args ? " " : "", user_args ? user_args : ""); ++ user_args ? " " : "", user_args ? user_args : "", user_ssh_client ? user_ssh_client : "" ); + + mail_auth(status, logline); /* send mail based on status */ + +--- env.b.c 2005-02-06 16:37:01.000000000 +0100 ++++ env.c 2006-01-21 18:42:41.000000000 +0100 +@@ -183,6 +183,8 @@ + user_prompt = *ep + 12; + else if (strncmp("SUDO_USER=", *ep, 10) == 0) + prev_user = *ep + 10; ++ else if (strncmp("SSH_CLIENT=", *ep, 11) == 0) ++ user_ssh_client = *ep + 11; + continue; + case 'T': + if (strncmp("TZ=", *ep, 3) == 0) +--- sudo.b.h 2005-03-24 00:44:46.000000000 +0100 ++++ sudo.h 2006-01-21 18:51:34.000000000 +0100 +@@ -38,6 +38,7 @@ + struct stat *cmnd_stat; + char *path; + char *shell; ++ char *user_ssh_client; + char *tty; + char cwd[PATH_MAX]; + char *host; +@@ -127,6 +128,7 @@ + #define user_shell (sudo_user.shell) + #define user_tty (sudo_user.tty) + #define user_cwd (sudo_user.cwd) ++#define user_ssh_client (sudo_user.user_ssh_client) + #define user_runas (sudo_user.runas) + #define user_cmnd (sudo_user.cmnd) + #define user_args (sudo_user.cmnd_args) diff --git a/app-admin/sudo/files/sudo b/app-admin/sudo/files/sudo new file mode 100644 index 0000000..8fc562d --- /dev/null +++ b/app-admin/sudo/files/sudo @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth required pam_stack.so service=system-auth +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth diff --git a/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff b/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff new file mode 100644 index 0000000..540ee74 --- /dev/null +++ b/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff @@ -0,0 +1,46 @@ +diff -uNr -r sudo-1.6.8p12-orig/env.c sudo-1.6.8p12/env.c +--- sudo-1.6.8p12-orig/env.c 2007-03-04 18:32:36.000000000 +0100 ++++ sudo-1.6.8p12/env.c 2007-03-04 18:32:06.000000000 +0100 +@@ -200,6 +200,8 @@ + user_prompt = *ep + 12; + else if (strncmp("SUDO_USER=", *ep, 10) == 0) + prev_user = *ep + 10; ++ else if (strncmp("SSH_CLIENT=", *ep, 11) == 0) ++ user_ssh_client = *ep + 11; + continue; + case 'T': + if (strncmp("TZ=", *ep, 3) == 0) +diff -uNr -r sudo-1.6.8p12-orig/logging.c sudo-1.6.8p12/logging.c +--- sudo-1.6.8p12-orig/logging.c 2004-05-17 22:08:46.000000000 +0200 ++++ sudo-1.6.8p12/logging.c 2007-03-04 18:32:06.000000000 +0100 +@@ -301,9 +301,9 @@ + else + message = "unknown error ; "; + +- easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s", ++ easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s ; SSH_CLIENT=%s", + message, user_tty, user_cwd, *user_runas, user_cmnd, +- user_args ? " " : "", user_args ? user_args : ""); ++ user_args ? " " : "", user_args ? user_args : "", user_ssh_client ? user_ssh_client : "" ); + + mail_auth(status, logline); /* send mail based on status */ + +diff -uNr -r sudo-1.6.8p12-orig/sudo.h sudo-1.6.8p12/sudo.h +--- sudo-1.6.8p12-orig/sudo.h 2005-03-24 00:44:46.000000000 +0100 ++++ sudo-1.6.8p12/sudo.h 2007-03-04 18:32:06.000000000 +0100 +@@ -38,6 +38,7 @@ + struct stat *cmnd_stat; + char *path; + char *shell; ++ char *user_ssh_client; + char *tty; + char cwd[PATH_MAX]; + char *host; +@@ -127,6 +128,7 @@ + #define user_shell (sudo_user.shell) + #define user_tty (sudo_user.tty) + #define user_cwd (sudo_user.cwd) ++#define user_ssh_client (sudo_user.user_ssh_client) + #define user_runas (sudo_user.runas) + #define user_cmnd (sudo_user.cmnd) + #define user_args (sudo_user.cmnd_args) diff --git a/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff b/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff new file mode 100644 index 0000000..bb2570e --- /dev/null +++ b/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff @@ -0,0 +1,10 @@ +--- ldap.c.orig 2005-06-16 22:55:41.047152568 +0100 ++++ ldap.c 2005-06-16 22:56:49.707714576 +0100 +@@ -539,6 +539,7 @@ + else MATCH_S("ssl", ldap_conf.ssl) + else MATCH_B("tls_checkpeer", ldap_conf.tls_checkpeer) + else MATCH_S("tls_cacertfile", ldap_conf.tls_cacertfile) ++ else MATCH_S("tls_cacert", ldap_conf.tls_cacertfile) + else MATCH_S("tls_cacertdir", ldap_conf.tls_cacertdir) + else MATCH_S("tls_randfile", ldap_conf.tls_random_file) + else MATCH_S("tls_ciphers", ldap_conf.tls_cipher_suite) diff --git a/app-admin/sudo/files/sudo-ldap_timelimit.diff b/app-admin/sudo/files/sudo-ldap_timelimit.diff new file mode 100644 index 0000000..2c13ba4 --- /dev/null +++ b/app-admin/sudo/files/sudo-ldap_timelimit.diff @@ -0,0 +1,76 @@ +diff -urN sudo-1.6.8p8/ldap.c sudo-1.6.8p8-patched/ldap.c +--- sudo-1.6.8p8/ldap.c 2004-12-01 03:28:46.000000000 +0000 ++++ sudo-1.6.8p8-patched/ldap.c 2005-06-22 08:14:59.000000000 +0000 +@@ -82,6 +82,8 @@ + char *bindpw; + char *base; + char *ssl; ++ int bind_timelimit; ++ int timelimit; + int tls_checkpeer; + char *tls_cacertfile; + char *tls_cacertdir; +@@ -545,6 +547,8 @@ + else MATCH_S("tls_cert", ldap_conf.tls_certfile) + else MATCH_S("tls_key", ldap_conf.tls_keyfile) + else MATCH_I("ldap_version", ldap_conf.version) ++ else MATCH_I("bind_timelimit", ldap_conf.bind_timelimit) ++ else MATCH_I("timelimit", ldap_conf.timelimit) + else MATCH_S("uri", ldap_conf.uri) + else MATCH_S("binddn", ldap_conf.binddn) + else MATCH_S("bindpw", ldap_conf.bindpw) +@@ -566,6 +570,8 @@ + if (!ldap_conf.version) ldap_conf.version=3; + if (!ldap_conf.port) ldap_conf.port=389; + if (!ldap_conf.host) ldap_conf.host=estrdup("localhost"); ++ if (!ldap_conf.bind_timelimit) ldap_conf.bind_timelimit=30; ++ if (!ldap_conf.timelimit) ldap_conf.timelimit=30; + + + if (ldap_conf.debug>1) { +@@ -589,6 +595,10 @@ + ldap_conf.binddn : "(anonymous)"); + printf("bindpw %s\n", ldap_conf.bindpw ? + ldap_conf.bindpw : "(anonymous)"); ++ printf("bind_timelimit %d\n", ldap_conf.bind_timelimit ? ++ ldap_conf.bind_timelimit : 30); ++ printf("timelimit %d\n", ldap_conf.timelimit ? ++ ldap_conf.timelimit : 30); + #ifdef HAVE_LDAP_START_TLS_S + printf("ssl %s\n", ldap_conf.ssl ? + ldap_conf.ssl : "(no)"); +@@ -772,6 +782,34 @@ + } + #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */ + ++ /* setup timelimit options */ ++ ++SET_OPTI(LDAP_OPT_TIMELIMIT, "TIMELIMIT", timelimit); ++ ++#ifdef LDAP_X_OPT_CONNECT_TIMEOUT ++ int timeout; ++ timeout = ldap_conf.bind_timelimit * 1000; ++ ++ SET_OPTI(LDAP_X_OPT_CONNECT_TIMEOUT, "X_OPT_CONNECT_TIMEOUT", timeout); ++#endif ++ ++#ifdef LDAP_OPT_NETWORK_TIMEOUT ++ if (ldap_conf.debug>1) fprintf(stderr, "setting bind_timelimit to %d\n", \ ++ ldap_conf.bind_timelimit); ++ ++ struct timeval tv; ++ ++ tv.tv_sec = ldap_conf.bind_timelimit; ++ tv.tv_usec = 0; ++ ++ rc = ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); ++ ++ if (rc != LDAP_OPT_SUCCESS) { ++ fprintf(stderr, "bind_timelimit ldap_set_option failed: %s\n", ldap_err2string(rc)); ++ return VALIDATE_ERROR; ++ } ++#endif ++ + /* attempt connect */ + #ifdef HAVE_LDAP_INITIALIZE + if (ldap_conf.uri) { diff --git a/app-admin/sudo/files/sudo-skeychallengeargs.diff b/app-admin/sudo/files/sudo-skeychallengeargs.diff new file mode 100644 index 0000000..3c90cfa --- /dev/null +++ b/app-admin/sudo/files/sudo-skeychallengeargs.diff @@ -0,0 +1,15 @@ +--- sudo-1.6.7p5/auth/rfc1938.c 2003-04-16 01:39:15.000000000 +0100 ++++ sudo-1.6.7p5/auth/rfc1938.c.new 2004-09-17 20:01:00.996902672 +0100 +@@ -64,11 +64,7 @@ + #if defined(HAVE_SKEY) + # include <skey.h> + # define RFC1938 skey +-# ifdef __NetBSD__ +-# define rfc1938challenge(a,b,c,d) skeychallenge((a),(b),(c),(d)) +-# else +-# define rfc1938challenge(a,b,c,d) skeychallenge((a),(b),(c)) +-# endif ++# define rfc1938challenge(a,b,c,d) skeychallenge((a),(b),(c),(d)) + # define rfc1938verify(a,b) skeyverify((a),(b)) + #elif defined(HAVE_OPIE) + # include <opie.h> diff --git a/app-admin/sudo/files/sudoers b/app-admin/sudo/files/sudoers new file mode 100644 index 0000000..4642d50 --- /dev/null +++ b/app-admin/sudo/files/sudoers @@ -0,0 +1,55 @@ +# sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the sudoers man page for the details on how to write a sudoers file. +# + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# Defaults specification + +# Reset environment by default +Defaults env_reset + +# Uncomment to allow users in group wheel to export variables +# Defaults:%wheel !env_reset + +# Allow users in group users to export specific variables +# Defaults:%users env_keep=TZ + +# Allow specific user to bypass env_delete for TERMCAP +# Defaults:user env_delete-=TERMCAP + +# Set default EDITOR to vi, and do not allow visudo to use EDITOR/VISUAL. +# Defaults editor=/usr/bin/vim, !env_editor + +# Runas alias specification + +# *** REMEMBER *************************************************** +# * GIVING SUDO ACCESS TO USERS ALLOWS THEM TO RUN THE SPECIFIED * +# * COMMANDS WITH ELEVATED PRIVILEGES. * +# * * +# * NEVER PERMIT UNTRUSTED USERS TO ACCESS SUDO. * +# **************************************************************** + +# User privilege specification +root ALL=(ALL) ALL + +# Uncomment to allow people in group wheel to run all commands +# %wheel ALL=(ALL) ALL + +# Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +# Users in group www are allowed to edit httpd.conf and ftpd.conf +# using sudoedit, or sudo -e, without a password. +# %www ALL=(ALL) NOPASSWD: sudoedit /etc/httpd.conf, /etc/ftpd.conf + +# Samples +# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom +# %users localhost=/sbin/shutdown -h now |