Ubuntu
sudo package

Merge ~danilogondolfo/ubuntu/+source/sudo:merge_mantic_lp2025655 into ubuntu/+source/sudo:debian/sid

  1. Git
  2. lp:~danilogondolfo/ubuntu/+source/sudo
  3. merge_mantic_lp2025655
  4. Merge into debian/sid
Proposed by Danilo Egea Gondolfo
Status: Needs review
Proposed branch: ~danilogondolfo/ubuntu/+source/sudo:merge_mantic_lp2025655
Merge into: ubuntu/+source/sudo:debian/sid
Diff against target: 1847 lines (+1424/-52)
11 files modified
debian/changelog (+1253/-0)
debian/control (+2/-1)
debian/etc/pam.d/sudo (+3/-0)
debian/etc/pam.d/sudo-i (+3/-0)
debian/etc/sudoers (+4/-1)
debian/sudo-ldap.manpages (+1/-0)
debian/sudo.manpages (+1/-0)
debian/sudo_root.8 (+138/-0)
debian/tests/04-getroot-sssd (+11/-0)
debian/tests/control (+8/-4)
dev/null (+0/-46)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Steve Langasek Pending
git-ubuntu import Pending
Review via email: mp+446052@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Athos Ribeiro (athos-ribeiro) wrote :

Hi Danilo,

Did you follow the process described in https://github.com/canonical/ubuntu-maintainers-handbook/blob/main/PackageMerging.md?

If so, would you mind also pushing the tags generated through that merge process?

Reply
Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

Hi Athos,

I didn't. I did the merge and reconstructed the git history manually so I don't have the tags created by git ubuntu merge... I did that for all my recent merges actually. But I'll fully adopt the process for my next merges.

Reply
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

(patch pilot of the day) Ok, I'll try to see what i can do without ...

Reply
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :
Download full text (4.5 KiB)

FYI This kind of is the second run of https://code.launchpad.net/~danilogondolfo/ubuntu/+source/sudo/+git/sudo/+merge/443422

Sadly without pushing any tags (or anything else representing the old history) I have a hard time to compare and ensure this is a correct merge. Essentially I'll have to do the same effort again.
To explain - with you doing that I can compare your split to what is in Ubuntu, if that is the same I can compare what you have put on top of latest Debian with the delta we had on top of the former Debian.
Just wanted to explain why it helps to provide your git history of the old delta :-)

Ok, this is messy enough - I can give you a few comments for things to

0. Please provide the split delta on top of current Ubuntu as it would help.
I've seen that 1.9.13p3-1ubuntu1 is from you as well, shouldn't that be somewhere.
I found this branch and it is split \o/
So that is what I'll use.

---

1. In the old changelog you had:
      - debian/control:
        + Drop Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
        (for context see LP 1915250)

In the commit this was actually the change
-Maintainer: Sudo Maintainers <email address hidden>
+Maintainer: Ubuntu Developers <email address hidden>

Now this is confusing.

I see that the new merge has a proper "Update maintainer" commit. (f3d882bd)

And now that I found all that I realize why it isn't mentioned in changelog.

Other people might be confused and run into a rabbit hole here.
You should IMHO mention this in the changelog like for example:
  20 * Dropped changes
  21 - Drop Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
  22 [ This wasn't in the former Ubuntu version, just mentioned
  23 in the changelog by accident ]

---

2. In new changelog, but not mentioned as added:
      - debian/tests/04-getroot-sssd:
        + wait for 2 seconds before trying to access the slapd daemon.
          In some situations, the next command (ldapmodify) runs before
          the service is ready.

Prepend this by something like
  * Added changes
Because without it is listed under "Remaining" which isn't true.

---

3. the fix of debian/tests/04-getroot-sssd itself

There is no bug reference, no nothing.
I have to assume that the test failed autopktest.
You have to understand any "sleep x" causes allergic reactions.
What if tomorrow the machine is slower, then it fails again.

It would be much better (and I'd ask to add this instead) to do

# 1. Start the server as you already do
slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
# 2. check if it is ready
$ ldapwhoami -Y external -H ldapi:///

This is not doing anything (no-op) but will deliver

root@m:~# ldapwhoami -Y external -H ldapi:///
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
root@m:~# echo $?
255

root@m:~# ldapwhoami -Y external -H ldapi:///
SASL/EXTERNAL authentication started
SASL use...

Read more...

review: Needs Fixing
Reply
Revision history for this message
Danilo Egea Gondolfo (danilogondolfo) wrote :

Hi Christian, thanks a lot for looking at this (and for the lesson).

I tried to address all your comments. I'll start following the git ubuntu merge process from now on. Doing it manually was how I learned when I started doing it few months ago and I think it's quick and simple enough (and nobody complained until the patch pilot started :P) so I guess I was resisting adopting git ubuntu merge.

I replaced the sleep with a loop checking if slapd is responding, you can see the retry being triggered once here https://autopkgtest.ubuntu.com/results/autopkgtest-mantic-danilogondolfo-sudo2/mantic/ppc64el/s/sudo/20230711_210349_531f6@/log.gz
I also created a bug report about the problem.

The simple sleep is already used somewhere else in the same script so I just went for the simpler solution as slapd would very much likely be ready in 2 seconds in most of the situations, unless the system is completely dying...

Reply
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Hey Danilo,
to be clear I'm not at all insisting on you using the full git ubuntu workflow - that is and should be entirely up to you.

But if sometimes - due to not using it - I can not (or only with many hours of extra work as it is kind of doing the merge myself to compare) deliver some part of the review - then I'd let you know.

Like in this case - all I wanted was some way to get the split you did, not everything else the process gives us. And as I have stated, I found the branch of your former merge which unblocked me. It was just harder to find.

I can't fit this today, but I'll try to re-review tomorrow

Reply
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Having a look again

#0 was just a recommendation that would have helped me, nothing to fix here

#1 is done - thanks

#2 is done - thanks

#3 is done
I know often we finds bad examples in other places :-)
But if - like in this case - doing it better isn't too complex we should try to do so.
Thanks for adding what I wanted :-) !

#4 was only about style anyway (not a blocker) and you have adapted them a bit - thanks.

Overall, all open issues are addressed.
I do not see anything further that is of deep concern.

+1 now
Doing some final checks and then likely uploading ...

P.S. Not a blocker, but a hint. That test timing fix you did is IMHO generally helpful.
And before forgetting about this package you might want to submit it to Debian?

review: Approve
Reply
Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

ok, LGTM

Uploading sudo_1.9.13p3-3ubuntu1.dsc
Uploading sudo_1.9.13p3.orig.tar.gz
Uploading sudo_1.9.13p3.orig.tar.gz.asc
Uploading sudo_1.9.13p3-3ubuntu1.debian.tar.xz
Uploading sudo_1.9.13p3-3ubuntu1_source.buildinfo
Uploading sudo_1.9.13p3-3ubuntu1_source.changes

Reply

Unmerged commits

19ff91f... by Danilo Egea Gondolfo

Changelog

a1956a1... by Danilo Egea Gondolfo

Update maintainer

8864bed... by Danilo Egea Gondolfo

debian/tests/04-getroot-sssd:

  + Check if the slapd daemon is ready before proceeding.
    In some situations, the next command (ldapmodify) runs before
    the service is ready. See LP:#2026888

2b916e4... by Danilo Egea Gondolfo

debian/tests/control: 03-getroot-ldap

  + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)

ebffbaa... by Danilo Egea Gondolfo

debian/etc/sudoers:

  + also grant admin group sudo access
  + include /snap/bin in the secure_path

c1e6ba2... by Danilo Egea Gondolfo

debian/etc/pam.d/sudo[-i]:

  + Use pam_env to read /etc/environment and /etc/default/locale
    environment files. Reading ~/.pam_environment is not permitted due
    to security reasons.

bd0ec79... by Danilo Egea Gondolfo

debian/sudo[-ldap].init: delete init scripts, as they are no longer
necessary.

f2fd598... by Danilo Egea Gondolfo

debian/sudo[-ldap].manpages: install man/man8/sudo_root.8

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
diff --git a/debian/changelog b/debian/changelog
index e6798fd..4416484 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,30 @@
1sudo (1.9.13p3-3ubuntu1) mantic; urgency=medium
2
3 * Merge with Debian unstable (LP: #2025655). Remaining changes:
4 - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8
5 - debian/sudo[-ldap].init: delete init scripts, as they are no longer
6 necessary.
7 - debian/etc/pam.d/sudo[-i]:
8 + Use pam_env to read /etc/environment and /etc/default/locale
9 environment files. Reading ~/.pam_environment is not permitted due
10 to security reasons.
11 - debian/etc/sudoers:
12 + also grant admin group sudo access
13 + include /snap/bin in the secure_path
14 - debian/tests/control: 03-getroot-ldap:
15 + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)
16 * Added changes:
17 - debian/tests/04-getroot-sssd:
18 + Check if the slapd daemon is ready before proceeding.
19 In some situations, the next command (ldapmodify) runs before
20 the service is ready. See LP:#2026888
21 * Dropped changes:
22 - Drop Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
23 This wasn't in the former Ubuntu version, just mentioned
24 in the changelog by accident
25
26 -- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Mon, 03 Jul 2023 15:23:30 +0100
27
1sudo (1.9.13p3-3) unstable; urgency=medium28sudo (1.9.13p3-3) unstable; urgency=medium
229
3 * fix wrong patch to fix event log format30 * fix wrong patch to fix event log format
@@ -13,6 +40,29 @@ sudo (1.9.13p3-2) unstable; urgency=medium
1340
14 -- Marc Haber <mh+debian-packages@zugschlus.de> Tue, 27 Jun 2023 11:09:16 +020041 -- Marc Haber <mh+debian-packages@zugschlus.de> Tue, 27 Jun 2023 11:09:16 +0200
1542
43sudo (1.9.13p3-1ubuntu1) mantic; urgency=medium
44
45 * Merge with Debian unstable. Remaining changes:
46 - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8
47 - debian/sudo[-ldap].init: delete init scripts, as they are no longer
48 necessary.
49 - debian/etc/pam.d/sudo[-i]:
50 + Use pam_env to read /etc/environment and /etc/default/locale
51 environment files. Reading ~/.pam_environment is not permitted due
52 to security reasons.
53 - debian/etc/sudoers:
54 + also grant admin group sudo access
55 + include /snap/bin in the secure_path
56 - debian/tests/control: 03-getroot-ldap:
57 + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)
58 - debian/control:
59 + Drop Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
60 (for context see LP 1915250)
61 * Dropped changes, now included in Debian:
62 - debian/patches/CVE-2023-27320.patch
63
64 -- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Tue, 23 May 2023 14:34:04 +0100
65
16sudo (1.9.13p3-1) unstable; urgency=medium66sudo (1.9.13p3-1) unstable; urgency=medium
1767
18 * new upstream version:68 * new upstream version:
@@ -28,6 +78,44 @@ sudo (1.9.13p3-1) unstable; urgency=medium
2878
29 -- Marc Haber <mh+debian-packages@zugschlus.de> Wed, 08 Mar 2023 21:17:05 +010079 -- Marc Haber <mh+debian-packages@zugschlus.de> Wed, 08 Mar 2023 21:17:05 +0100
3080
81sudo (1.9.13p1-1ubuntu2) lunar; urgency=medium
82
83 * SECURITY UPDATE: double free with per-command chroot sudoers rules
84 - debian/patches/CVE-2023-27320.patch: don't free user_cmnd twice in
85 MANIFEST, plugins/sudoers/match_command.c,
86 plugins/sudoers/regress/fuzz/fuzz_sudoers.c,
87 plugins/sudoers/regress/testsudoers/test20.out.ok,
88 plugins/sudoers/regress/testsudoers/test20.sh,
89 plugins/sudoers/testsudoers.c,
90 plugins/sudoers/visudo.c.
91 - CVE-2023-27320
92
93 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 01 Mar 2023 08:51:34 -0500
94
95sudo (1.9.13p1-1ubuntu1) lunar; urgency=medium
96
97 * Merge from Debian unstable. Remaining changes:
98 - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8
99 - debian/sudo[-ldap].init: delete init scripts, as they are no longer
100 necessary.
101 - debian/etc/pam.d/sudo[-i]:
102 + Use pam_env to read /etc/environment and /etc/default/locale
103 environment files. Reading ~/.pam_environment is not permitted due
104 to security reasons.
105 - debian/etc/sudoers:
106 + also grant admin group sudo access
107 + include /snap/bin in the secure_path
108 - debian/tests/control: 03-getroot-ldap:
109 + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)
110 - debian/control:
111 + Drop Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
112 (for context see LP: 1915250)
113 - Drop patches for issues fixed upstream
114 + d/p/CVE-2023-22809.patch
115 + d/p/Add-XDG_CURRENT_DESKTOP-to-initial_keepenv_table.patch
116
117 -- Danilo Egea Gondolfo <danilo.egea.gondolfo@canonical.com> Mon, 20 Feb 2023 17:38:07 +0000
118
31sudo (1.9.13p1-1) unstable; urgency=medium119sudo (1.9.13p1-1) unstable; urgency=medium
32120
33 * new upstream version 1.9.13p1121 * new upstream version 1.9.13p1
@@ -67,12 +155,75 @@ sudo (1.9.12p1-1) unstable; urgency=low
67155
68 -- Marc Haber <mh+debian-packages@zugschlus.de> Sun, 15 Jan 2023 13:58:48 +0100156 -- Marc Haber <mh+debian-packages@zugschlus.de> Sun, 15 Jan 2023 13:58:48 +0100
69157
158sudo (1.9.11p3-1ubuntu3) lunar; urgency=medium
159
160 * SECURITY UPDATE: arbitrary file overwrite via sudoedit
161 - debian/patches/CVE-2023-22809.patch: do not permit editor arguments
162 to include -- in plugins/sudoers/editor.c, plugins/sudoers/sudoers.c,
163 plugins/sudoers/visudo.c.
164 - CVE-2023-22809
165
166 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 18 Jan 2023 12:46:34 -0500
167
168sudo (1.9.11p3-1ubuntu2) lunar; urgency=medium
169
170 * No-change rebuild against libldap-2
171
172 -- Steve Langasek <steve.langasek@ubuntu.com> Thu, 15 Dec 2022 19:57:01 +0000
173
174sudo (1.9.11p3-1ubuntu1) kinetic; urgency=medium
175
176 * Merge from Debian unstable. Remaining changes:
177 - debian/control:
178 + Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
179 - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8
180 - debian/sudo[-ldap].init: delete init scripts, as they are no longer
181 necessary.
182 - debian/etc/pam.d/sudo[-i]:
183 + Use pam_env to read /etc/environment and /etc/default/locale
184 environment files. Reading ~/.pam_environment is not permitted due
185 to security reasons.
186 - debian/etc/sudoers:
187 + also grant admin group sudo access
188 + include /snap/bin in the secure_path
189 - debian/tests/control: 03-getroot-ldap:
190 + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)
191 - Add XDG_CURRENT_DESKTOP to initial_keepenv_table for Qt to determine the
192 correct theme (LP: #1958055)
193
194 -- Benjamin Drung <bdrung@ubuntu.com> Tue, 23 Aug 2022 10:06:34 +0200
195
70sudo (1.9.11p3-1) unstable; urgency=low196sudo (1.9.11p3-1) unstable; urgency=low
71197
72 * new upstream version 1.9.11p3198 * new upstream version 1.9.11p3
73199
74 -- Marc Haber <mh+debian-packages@zugschlus.de> Wed, 23 Mar 2022 10:50:16 +0100200 -- Marc Haber <mh+debian-packages@zugschlus.de> Wed, 23 Mar 2022 10:50:16 +0100
75201
202sudo (1.9.10-3ubuntu1) kinetic; urgency=medium
203
204 * Merge from Debian unstable. Remaining changes:
205 - debian/control:
206 + Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
207 - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8
208 - debian/sudo[-ldap].init: delete init scripts, as they are no longer
209 necessary.
210 - debian/etc/pam.d/sudo[-i]:
211 + Use pam_env to read /etc/environment and /etc/default/locale
212 environment files. Reading ~/.pam_environment is not permitted due
213 to security reasons.
214 - debian/etc/sudoers:
215 + also grant admin group sudo access
216 + include /snap/bin in the secure_path
217 - debian/tests/control: 03-getroot-ldap:
218 + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)
219 * Dropped changes (applied in Debian):
220 - debian/rules:
221 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
222 * Add XDG_CURRENT_DESKTOP to initial_keepenv_table for Qt to determine the
223 correct theme (LP: #1958055)
224
225 -- Benjamin Drung <bdrung@ubuntu.com> Wed, 03 Aug 2022 10:45:04 +0200
226
76sudo (1.9.10-3) unstable; urgency=medium227sudo (1.9.10-3) unstable; urgency=medium
77228
78 * some changes to 03-getroot-ldap autopkgtest to find out229 * some changes to 03-getroot-ldap autopkgtest to find out
@@ -119,6 +270,37 @@ sudo (1.9.10-1) experimental; urgency=medium
119270
120 -- Marc Haber <mh+debian-packages@zugschlus.de> Fri, 18 Mar 2022 14:31:30 +0100271 -- Marc Haber <mh+debian-packages@zugschlus.de> Fri, 18 Mar 2022 14:31:30 +0100
121272
273sudo (1.9.9-1ubuntu2) jammy; urgency=medium
274
275 * d/t/control: skip 03-getroot-ldap autopkgtest on non-containers
276
277 -- Lukas Märdian <slyon@ubuntu.com> Mon, 14 Feb 2022 12:48:05 +0100
278
279sudo (1.9.9-1ubuntu1) jammy; urgency=medium
280
281 * Merge from Debian unstable. Remaining changes:
282 - debian/control:
283 + Build-Conflicts on fakeroot (<< 1.25.3-1.1ubuntu1)
284 - debian/rules:
285 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
286 - debian/sudo[-ldap].manpages: install man/man8/sudo_root.8
287 - debian/sudo[-ldap].init: delete init scripts, as they are no longer
288 necessary.
289 - debian/etc/pam.d/sudo[-i]:
290 + Use pam_env to read /etc/environment and /etc/default/locale
291 environment files. Reading ~/.pam_environment is not permitted due
292 to security reasons.
293 - debian/etc/sudoers:
294 + also grant admin group sudo access
295 + include /snap/bin in the secure_path
296 - debian/tests/control: 03-getroot-ldap:
297 + allow removal of 'sudo' in autopkgtest (SUDO_FORCE_REMOVE=yes)
298 * Dropped changes:
299 - debian/rules:
300 + use dh-autoreconf (converted to using dh)
301
302 -- Lukas Märdian <slyon@ubuntu.com> Tue, 08 Feb 2022 12:01:45 +0100
303
122sudo (1.9.9-1) unstable; urgency=medium304sudo (1.9.9-1) unstable; urgency=medium
123305
124 * new upstream version306 * new upstream version
@@ -268,6 +450,37 @@ sudo (1.9.5p2-3+exp1) experimental; urgency=medium
268450
269 -- Marc Haber <mh+debian-packages@zugschlus.de> Fri, 12 Mar 2021 20:48:13 +0100451 -- Marc Haber <mh+debian-packages@zugschlus.de> Fri, 12 Mar 2021 20:48:13 +0100
270452
453sudo (1.9.5p2-3ubuntu2) impish; urgency=medium
454
455 * No-change rebuild due to OpenLDAP soname bump.
456
457 -- Sergio Durigan Junior <sergio.durigan@canonical.com> Mon, 21 Jun 2021 18:09:32 -0400
458
459sudo (1.9.5p2-3ubuntu1) impish; urgency=low
460
461 * Merge from Debian unstable (LP: #1929110). Remaining changes:
462 - debian/rules:
463 + use dh-autoreconf
464 - debian/rules: stop shipping init scripts, as they are no longer
465 necessary.
466 - debian/rules:
467 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
468 + install man/man8/sudo_root.8 in both flavours
469 - debian/sudo.pam:
470 + Use pam_env to read /etc/environment and /etc/default/locale
471 environment files. Reading ~/.pam_environment is not permitted due
472 to security reasons.
473 - debian/sudoers:
474 + also grant admin group sudo access
475 + include /snap/bin in the secure_path
476 * Dropped changes, now included in Debian:
477 - debian/rules:
478 + install apport hooks
479 - debian/sudo-ldap.dirs, debian/sudo.dirs:
480 + add usr/share/apport/package-hooks
481
482 -- William 'jawn-smith' Wilson <william.wilson@canonical.com> Thu, 20 May 2021 15:43:31 +0000
483
271sudo (1.9.5p2-3) unstable; urgency=medium484sudo (1.9.5p2-3) unstable; urgency=medium
272485
273 * new maintainer team and uploaders (Closes: #976244)486 * new maintainer team and uploaders (Closes: #976244)
@@ -281,6 +494,49 @@ sudo (1.9.5p2-3) unstable; urgency=medium
281494
282 -- Marc Haber <mh+debian-packages@zugschlus.de> Sat, 27 Feb 2021 09:28:03 +0100495 -- Marc Haber <mh+debian-packages@zugschlus.de> Sat, 27 Feb 2021 09:28:03 +0100
283496
497sudo (1.9.5p2-2ubuntu3) hirsute; urgency=medium
498
499 * No change rebuild with fixed ownership.
500
501 -- Dimitri John Ledkov <xnox@ubuntu.com> Thu, 18 Feb 2021 00:03:21 +0000
502
503sudo (1.9.5p2-2ubuntu2) hirsute; urgency=medium
504
505 * No change rebuild against new permissions ABI. LP: #1915250
506
507 -- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 16 Feb 2021 10:39:16 +0000
508
509sudo (1.9.5p2-2ubuntu1) hirsute; urgency=low
510
511 * Merge from Debian unstable. (LP: #1915307)
512 * Remaining changes:
513 - debian/rules:
514 + use dh-autoreconf
515 - debian/rules: stop shipping init scripts, as they are no longer
516 necessary.
517 - debian/rules:
518 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
519 + install man/man8/sudo_root.8 in both flavours
520 + install apport hooks
521 - debian/sudo-ldap.dirs, debian/sudo.dirs:
522 + add usr/share/apport/package-hooks
523 - debian/sudo.pam:
524 + Use pam_env to read /etc/environment and /etc/default/locale
525 environment files. Reading ~/.pam_environment is not permitted due
526 to security reasons.
527 - debian/sudoers:
528 + also grant admin group sudo access
529 + include /snap/bin in the secure_path
530 * Dropped patches, no longer needed because they are integrated in Debian:
531 - CVE-2021-23239.patch
532 - CVE-2021-3156-1.patch
533 - CVE-2021-3156-2.patch
534 - CVE-2021-3156-3.patch
535 - CVE-2021-3156-4.patch
536 - CVE-2021-3156-5.patch
537
538 -- William 'jawn-smith' Wilson <william.wilson@canonical.com> Wed, 10 Feb 2021 05:42:42 -0600
539
284sudo (1.9.5p2-2) unstable; urgency=medium540sudo (1.9.5p2-2) unstable; urgency=medium
285541
286 * patch from upstream repo to fix NO_ROOT_MAILER542 * patch from upstream repo to fix NO_ROOT_MAILER
@@ -317,6 +573,60 @@ sudo (1.9.5-1) unstable; urgency=medium
317573
318 -- Bdale Garbee <bdale@gag.com> Mon, 11 Jan 2021 15:15:48 -0700574 -- Bdale Garbee <bdale@gag.com> Mon, 11 Jan 2021 15:15:48 -0700
319575
576sudo (1.9.4p2-2ubuntu3) hirsute; urgency=medium
577
578 * SECURITY UPDATE: ineffective NO_ROOT_MAILER hardening option
579 - debian/patches/ineffective_no_root_mailer.patch: fix NO_ROOT_MAILER
580 in plugins/sudoers/logging.c, plugins/sudoers/policy.c.
581 - No CVE number
582
583 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sat, 30 Jan 2021 14:35:13 -0500
584
585sudo (1.9.4p2-2ubuntu2) hirsute; urgency=medium
586
587 * SECURITY UPDATE: dir existence issue via sudoedit race
588 - debian/patches/CVE-2021-23239.patch: fix potential directory existing
589 info leak in sudoedit in src/sudo_edit.c.
590 - CVE-2021-23239
591 * SECURITY UPDATE: heap-based buffer overflow
592 - debian/patches/CVE-2021-3156-1.patch: reset valid_flags to
593 MODE_NONINTERACTIVE for sudoedit in src/parse_args.c.
594 - debian/patches/CVE-2021-3156-2.patch: add sudoedit flag checks in
595 plugin in plugins/sudoers/policy.c.
596 - debian/patches/CVE-2021-3156-3.patch: fix potential buffer overflow
597 when unescaping backslashes in plugins/sudoers/sudoers.c.
598 - debian/patches/CVE-2021-3156-4.patch: fix the memset offset when
599 converting a v1 timestamp to TS_LOCKEXCL in
600 plugins/sudoers/timestamp.c.
601 - debian/patches/CVE-2021-3156-5.patch: don't assume that argv is
602 allocated as a single flat buffer in src/parse_args.c.
603 - CVE-2021-3156
604
605 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Jan 2021 14:37:48 -0500
606
607sudo (1.9.4p2-2ubuntu1) hirsute; urgency=low
608
609 * Merge from Debian unstable. Remaining changes:
610 - debian/rules:
611 + use dh-autoreconf
612 - debian/rules: stop shipping init scripts, as they are no longer
613 necessary.
614 - debian/rules:
615 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
616 + install man/man8/sudo_root.8 in both flavours
617 + install apport hooks
618 - debian/sudo-ldap.dirs, debian/sudo.dirs:
619 + add usr/share/apport/package-hooks
620 - debian/sudo.pam:
621 + Use pam_env to read /etc/environment and /etc/default/locale
622 environment files. Reading ~/.pam_environment is not permitted due
623 to security reasons.
624 - debian/sudoers:
625 + also grant admin group sudo access
626 + include /snap/bin in the secure_path
627
628 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 06 Jan 2021 13:51:07 -0800
629
320sudo (1.9.4p2-2) unstable; urgency=medium630sudo (1.9.4p2-2) unstable; urgency=medium
321631
322 * always use /bin/mv to ensure reproducible builds whether built on a632 * always use /bin/mv to ensure reproducible builds whether built on a
@@ -342,6 +652,29 @@ sudo (1.9.4-1) unstable; urgency=medium
342652
343 -- Bdale Garbee <bdale@gag.com> Tue, 01 Dec 2020 22:10:03 -0500653 -- Bdale Garbee <bdale@gag.com> Tue, 01 Dec 2020 22:10:03 -0500
344654
655sudo (1.9.3p1-1ubuntu1) hirsute; urgency=low
656
657 * Merge from Debian unstable. Remaining changes:
658 - debian/rules:
659 + use dh-autoreconf
660 - debian/rules: stop shipping init scripts, as they are no longer
661 necessary.
662 - debian/rules:
663 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
664 + install man/man8/sudo_root.8 in both flavours
665 + install apport hooks
666 - debian/sudo-ldap.dirs, debian/sudo.dirs:
667 + add usr/share/apport/package-hooks
668 - debian/sudo.pam:
669 + Use pam_env to read /etc/environment and /etc/default/locale
670 environment files. Reading ~/.pam_environment is not permitted due
671 to security reasons.
672 - debian/sudoers:
673 + also grant admin group sudo access
674 + include /snap/bin in the secure_path
675
676 -- Steve Langasek <steve.langasek@ubuntu.com> Sat, 24 Oct 2020 17:14:39 -0700
677
345sudo (1.9.3p1-1) unstable; urgency=medium678sudo (1.9.3p1-1) unstable; urgency=medium
346679
347 * new upstream version680 * new upstream version
@@ -363,12 +696,61 @@ sudo (1.9.1-2) unstable; urgency=medium
363696
364 -- Bdale Garbee <bdale@gag.com> Sun, 12 Jul 2020 09:52:08 -0600697 -- Bdale Garbee <bdale@gag.com> Sun, 12 Jul 2020 09:52:08 -0600
365698
699sudo (1.9.1-1ubuntu1) groovy; urgency=low
700
701 * Merge from Debian unstable. Remaining changes:
702 - debian/rules:
703 + use dh-autoreconf
704 - debian/rules: stop shipping init scripts, as they are no longer
705 necessary.
706 - debian/rules:
707 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
708 + install man/man8/sudo_root.8 in both flavours
709 + install apport hooks
710 - debian/sudo-ldap.dirs, debian/sudo.dirs:
711 + add usr/share/apport/package-hooks
712 - debian/sudo.pam:
713 + Use pam_env to read /etc/environment and /etc/default/locale
714 environment files. Reading ~/.pam_environment is not permitted due
715 to security reasons.
716 - debian/sudoers:
717 + also grant admin group sudo access
718 + include /snap/bin in the secure_path
719
720 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 08 Jul 2020 09:38:55 -0700
721
366sudo (1.9.1-1) unstable; urgency=medium722sudo (1.9.1-1) unstable; urgency=medium
367723
368 * new upstream version724 * new upstream version
369725
370 -- Bdale Garbee <bdale@gag.com> Fri, 19 Jun 2020 15:44:09 -0600726 -- Bdale Garbee <bdale@gag.com> Fri, 19 Jun 2020 15:44:09 -0600
371727
728sudo (1.9.0-1ubuntu1) groovy; urgency=low
729
730 * Merge from Debian unstable. Remaining changes:
731 - debian/rules:
732 + use dh-autoreconf
733 - debian/rules: stop shipping init scripts, as they are no longer
734 necessary.
735 - debian/rules:
736 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
737 + install man/man8/sudo_root.8 in both flavours
738 + install apport hooks
739 - debian/sudo-ldap.dirs, debian/sudo.dirs:
740 + add usr/share/apport/package-hooks
741 - debian/sudo.pam:
742 + Use pam_env to read /etc/environment and /etc/default/locale
743 environment files. Reading ~/.pam_environment is not permitted due
744 to security reasons.
745 - debian/sudoers:
746 + also grant admin group sudo access
747 + include /snap/bin in the secure_path
748 * Dropped changes, no longer needed:
749 - debian/control:
750 + use dh-autoreconf
751
752 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 20 May 2020 17:07:02 -0700
753
372sudo (1.9.0-1) unstable; urgency=medium754sudo (1.9.0-1) unstable; urgency=medium
373755
374 * new upstream version, closes: #669687, #571621, #734752756 * new upstream version, closes: #669687, #571621, #734752
@@ -381,12 +763,64 @@ sudo (1.8.31p1-1) unstable; urgency=medium
381763
382 -- Bdale Garbee <bdale@gag.com> Thu, 19 Mar 2020 15:47:17 -0600764 -- Bdale Garbee <bdale@gag.com> Thu, 19 Mar 2020 15:47:17 -0600
383765
766sudo (1.8.31-1ubuntu1) focal; urgency=medium
767
768 * Merge from Debian unstable. Remaining changes:
769 - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
770 shipping init script and service file, as they are no longer
771 necessary.
772 - debian/rules:
773 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
774 + install man/man8/sudo_root.8 in both flavours
775 + install apport hooks
776 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
777 + add usr/share/apport/package-hooks
778 - debian/sudo.pam:
779 + Use pam_env to read /etc/environment and /etc/default/locale
780 environment files. Reading ~/.pam_environment is not permitted due to
781 security reasons.
782 - debian/sudoers:
783 + also grant admin group sudo access
784 + include /snap/bin in the secure_path
785 - debian/control, debian/rules:
786 + use dh-autoreconf
787
788 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 03 Feb 2020 09:32:18 -0500
789
384sudo (1.8.31-1) unstable; urgency=medium790sudo (1.8.31-1) unstable; urgency=medium
385791
386 * new upstream version792 * new upstream version
387793
388 -- Bdale Garbee <bdale@gag.com> Sat, 01 Feb 2020 23:07:09 -0800794 -- Bdale Garbee <bdale@gag.com> Sat, 01 Feb 2020 23:07:09 -0800
389795
796sudo (1.8.29-1ubuntu1) focal; urgency=medium
797
798 * Merge from Debian unstable.
799 Remaining changes:
800 - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
801 shipping init script and service file, as they are no longer
802 necessary.
803 - debian/rules:
804 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
805 + install man/man8/sudo_root.8 in both flavours
806 + install apport hooks
807 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
808 + add usr/share/apport/package-hooks
809 - debian/sudo.pam:
810 + Use pam_env to read /etc/environment and /etc/default/locale
811 environment files. Reading ~/.pam_environment is not permitted due to
812 security reasons.
813 - debian/sudoers:
814 + also grant admin group sudo access
815 + include /snap/bin in the secure_path
816 - debian/control, debian/rules:
817 + use dh-autoreconf
818 * Removed patches included in new version:
819 - debian/patches/CVE-2019-14287.patch
820 - debian/patches/CVE-2019-14287-2.patch
821
822 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 26 Nov 2019 13:13:21 -0500
823
390sudo (1.8.29-1) unstable; urgency=medium824sudo (1.8.29-1) unstable; urgency=medium
391825
392 * new upstream version826 * new upstream version
@@ -409,6 +843,59 @@ sudo (1.8.27-1.1) unstable; urgency=high
409843
410 -- Salvatore Bonaccorso <carnil@debian.org> Mon, 14 Oct 2019 21:10:58 +0200844 -- Salvatore Bonaccorso <carnil@debian.org> Mon, 14 Oct 2019 21:10:58 +0200
411845
846sudo (1.8.27-1ubuntu4) eoan; urgency=medium
847
848 * SECURITY UPDATE: privilege escalation via UID -1
849 - debian/patches/CVE-2019-14287.patch: treat an ID of -1 as invalid
850 in lib/util/strtoid.c.
851 - debian/patches/CVE-2019-14287-2.patch: fix and add to tests in
852 lib/util/regress/atofoo/atofoo_test.c,
853 plugins/sudoers/regress/testsudoers/test5.out.ok,
854 plugins/sudoers/regress/testsudoers/test5.sh.
855 - CVE-2019-14287
856
857 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 15 Oct 2019 07:09:02 -0400
858
859sudo (1.8.27-1ubuntu3) eoan; urgency=medium
860
861 * No-change upload with strops.h and sys/strops.h removed in glibc.
862
863 -- Matthias Klose <doko@ubuntu.com> Thu, 05 Sep 2019 11:12:29 +0000
864
865sudo (1.8.27-1ubuntu2) eoan; urgency=medium
866
867 * Remove d/p/keep_home_by_default.patch (LP: #1556302)
868 - This restores sudo handling of $HOME to what everyone else does
869
870 -- Dan Streetman <ddstreet@canonical.com> Tue, 04 Jun 2019 08:58:02 -0400
871
872sudo (1.8.27-1ubuntu1) disco; urgency=medium
873
874 * Merge from Debian unstable.
875 Remaining changes:
876 - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
877 shipping init script and service file, as they are no longer
878 necessary.
879 - debian/rules:
880 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
881 + install man/man8/sudo_root.8 in both flavours
882 + install apport hooks
883 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
884 + add usr/share/apport/package-hooks
885 - debian/sudo.pam:
886 + Use pam_env to read /etc/environment and /etc/default/locale
887 environment files. Reading ~/.pam_environment is not permitted due to
888 security reasons.
889 - debian/sudoers:
890 + also grant admin group sudo access
891 + include /snap/bin in the secure_path
892 - debian/control, debian/rules:
893 + use dh-autoreconf
894 - Remaining patches:
895 + keep_home_by_default.patch: Keep HOME in the default environment
896
897 -- Balint Reczey <rbalint@ubuntu.com> Tue, 19 Feb 2019 09:30:21 +0100
898
412sudo (1.8.27-1) unstable; urgency=medium899sudo (1.8.27-1) unstable; urgency=medium
413900
414 * new upstream version901 * new upstream version
@@ -433,6 +920,33 @@ sudo (1.8.26-1) unstable; urgency=medium
433920
434 -- Bdale Garbee <bdale@gag.com> Mon, 19 Nov 2018 00:32:06 -1000921 -- Bdale Garbee <bdale@gag.com> Mon, 19 Nov 2018 00:32:06 -1000
435922
923sudo (1.8.23-2ubuntu1) cosmic; urgency=medium
924
925 * Merge from Debian unstable.
926 Remaining changes:
927 - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
928 shipping init script and service file, as they are no longer
929 necessary.
930 - debian/rules:
931 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
932 + install man/man8/sudo_root.8 in both flavours
933 + install apport hooks
934 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
935 + add usr/share/apport/package-hooks
936 - debian/sudo.pam:
937 + Use pam_env to read /etc/environment and /etc/default/locale
938 environment files. Reading ~/.pam_environment is not permitted due to
939 security reasons.
940 - debian/sudoers:
941 + also grant admin group sudo access
942 + include /snap/bin in the secure_path
943 - debian/control, debian/rules:
944 + use dh-autoreconf
945 - Remaining patches:
946 + keep_home_by_default.patch: Keep HOME in the default environment
947
948 -- Balint Reczey <rbalint@ubuntu.com> Thu, 23 Aug 2018 19:36:40 +0200
949
436sudo (1.8.23-2) unstable; urgency=high950sudo (1.8.23-2) unstable; urgency=high
437951
438 * fix FTBFS due to earlier sudoers2ldif removal, closes: #903415952 * fix FTBFS due to earlier sudoers2ldif removal, closes: #903415
@@ -445,12 +959,76 @@ sudo (1.8.23-1) unstable; urgency=medium
445959
446 -- Bdale Garbee <bdale@gag.com> Mon, 30 Apr 2018 20:55:10 -0600960 -- Bdale Garbee <bdale@gag.com> Mon, 30 Apr 2018 20:55:10 -0600
447961
962sudo (1.8.21p2-3ubuntu1) bionic; urgency=medium
963
964 * Merge from Debian unstable.
965 Remaining changes:
966 - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
967 shipping init script and service file, as they are no longer
968 necessary.
969 - debian/rules:
970 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
971 + install man/man8/sudo_root.8 in both flavours
972 + install apport hooks
973 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
974 + add usr/share/apport/package-hooks
975 - debian/sudo.pam:
976 + Use pam_env to read /etc/environment and /etc/default/locale
977 environment files. Reading ~/.pam_environment is not permitted due to
978 security reasons.
979 - debian/sudoers:
980 + also grant admin group sudo access
981 + include /snap/bin in the secure_path
982 - debian/control, debian/rules:
983 + use dh-autoreconf
984 - Remaining patches:
985 + keep_home_by_default.patch: Keep HOME in the default environment
986
987 -- Balint Reczey <rbalint@ubuntu.com> Thu, 18 Jan 2018 01:08:16 +0100
988
448sudo (1.8.21p2-3) unstable; urgency=medium989sudo (1.8.21p2-3) unstable; urgency=medium
449990
450 * include sssd support in the sudo-ldap build too, closes: #884741991 * include sssd support in the sudo-ldap build too, closes: #884741
451992
452 -- Bdale Garbee <bdale@gag.com> Mon, 18 Dec 2017 21:55:18 -0700993 -- Bdale Garbee <bdale@gag.com> Mon, 18 Dec 2017 21:55:18 -0700
453994
995sudo (1.8.21p2-2ubuntu1) bionic; urgency=medium
996
997 * Merge from Debian unstable. (LP: #1731981)
998 Remaining changes:
999 - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
1000 shipping init script and service file, as they are no longer
1001 necessary.
1002 - debian/rules:
1003 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
1004 + install man/man8/sudo_root.8 in both flavours
1005 + install apport hooks
1006 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
1007 + add usr/share/apport/package-hooks
1008 - debian/sudo.pam:
1009 + Use pam_env to read /etc/environment and /etc/default/locale
1010 environment files. Reading ~/.pam_environment is not permitted due to
1011 security reasons.
1012 - debian/sudoers:
1013 + also grant admin group sudo access
1014 + include /snap/bin in the secure_path
1015 - debian/control, debian/rules:
1016 + use dh-autoreconf
1017 - Remaining patches:
1018 + keep_home_by_default.patch: Keep HOME in the default environment
1019 Dropped changes since they are integrated in Debian:
1020 - Use tmpfs location to store timestamp files
1021 + debian/rules: change --with-rundir to /var/run/sudo
1022 + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
1023 init script with dpkg-maintscript-helper.
1024 Dropped changes since the the transition took place already in every
1025 release the package can be upgraded from:
1026 + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
1027 transition code, remove old /var/lib/sudo/ts timestamp directory.
1028 * Refresh patches
1029
1030 -- Balint Reczey <rbalint@ubuntu.com> Mon, 13 Nov 2017 17:53:45 +0100
1031
454sudo (1.8.21p2-2) unstable; urgency=medium1032sudo (1.8.21p2-2) unstable; urgency=medium
4551033
456 * work harder to clean up mess left by sudo-ldap using /etc/init.d/sudo1034 * work harder to clean up mess left by sudo-ldap using /etc/init.d/sudo
@@ -484,6 +1062,41 @@ sudo (1.8.21-1) unstable; urgency=medium
4841062
485 -- Bdale Garbee <bdale@gag.com> Mon, 28 Aug 2017 09:44:06 -06001063 -- Bdale Garbee <bdale@gag.com> Mon, 28 Aug 2017 09:44:06 -0600
4861064
1065sudo (1.8.20p2-1ubuntu1) artful; urgency=low
1066
1067 * Merge from Debian unstable. (LP: #1697587)
1068 Remaining changes:
1069 - Use tmpfs location to store timestamp files
1070 + debian/rules: change --with-rundir to /var/run/sudo
1071 + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
1072 shipping init script and service file, as they are no longer
1073 necessary.
1074 + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
1075 init script with dpkg-maintscript-helper.
1076 + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
1077 transition code, remove old /var/lib/sudo/ts timestamp directory.
1078 - debian/rules:
1079 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
1080 + install man/man8/sudo_root.8 in both flavours
1081 + install apport hooks
1082 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
1083 + add usr/share/apport/package-hooks
1084 - debian/sudo.pam:
1085 + Use pam_env to read /etc/environment and /etc/default/locale
1086 environment files. Reading ~/.pam_environment is not permitted due to
1087 security reasons.
1088 - debian/sudoers:
1089 + also grant admin group sudo access
1090 + include /snap/bin in the secure_path
1091 - debian/control, debian/rules:
1092 + use dh-autoreconf
1093 - Remaining patches:
1094 + keep_home_by_default.patch: Keep HOME in the default environment
1095 - Dropped patches no longer needed:
1096 + CVE-2017-1000367.patch
1097
1098 -- Balint Reczey <rbalint@ubuntu.com> Mon, 12 Jun 2017 21:51:31 +0200
1099
487sudo (1.8.20p2-1) unstable; urgency=medium1100sudo (1.8.20p2-1) unstable; urgency=medium
4881101
489 * new upstream version1102 * new upstream version
@@ -513,6 +1126,51 @@ sudo (1.8.20-1) unstable; urgency=medium
5131126
514 -- Bdale Garbee <bdale@gag.com> Wed, 10 May 2017 10:25:46 -06001127 -- Bdale Garbee <bdale@gag.com> Wed, 10 May 2017 10:25:46 -0600
5151128
1129sudo (1.8.19p1-1ubuntu2) artful; urgency=medium
1130
1131 * SECURITY UPDATE: /proc/self/stat parsing confusion
1132 - debian/patches/CVE-2017-1000367.patch: adjust parsing to
1133 find ttyname
1134 - CVE-2017-1000367
1135
1136 -- Steve Beattie <sbeattie@ubuntu.com> Mon, 29 May 2017 03:13:37 -0700
1137
1138sudo (1.8.19p1-1ubuntu1) zesty; urgency=low
1139
1140 * Merge from Debian unstable. (LP: #1607666)
1141 Remaining changes:
1142 - Use tmpfs location to store timestamp files
1143 + debian/rules: change --with-rundir to /var/run/sudo
1144 + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
1145 shipping init script and service file, as they are no longer
1146 necessary.
1147 + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
1148 init script with dpkg-maintscript-helper.
1149 + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
1150 transition code, remove old /var/lib/sudo/ts timestamp directory.
1151 - debian/rules:
1152 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
1153 + install man/man8/sudo_root.8 in both flavours
1154 + install apport hooks
1155 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
1156 + add usr/share/apport/package-hooks
1157 - debian/sudo.pam:
1158 + Use pam_env to read /etc/environment and /etc/default/locale
1159 environment files. Reading ~/.pam_environment is not permitted due to
1160 security reasons.
1161 - debian/sudoers:
1162 + also grant admin group sudo access
1163 + include /snap/bin in the secure_path
1164 - debian/control, debian/rules:
1165 + use dh-autoreconf
1166 - Remaining patches:
1167 + keep_home_by_default.patch: Keep HOME in the default environment
1168 - Dropped patches no longer needed:
1169 + debian/patches/lp1565567.patch: upstream.
1170 + debian/patches/also_check_sudo_group.diff: upstream.
1171
1172 -- Timo Aaltonen <tjaalton@debian.org> Sat, 14 Jan 2017 01:41:17 +0200
1173
516sudo (1.8.19p1-1) unstable; urgency=medium1174sudo (1.8.19p1-1) unstable; urgency=medium
5171175
518 * new upstream version1176 * new upstream version
@@ -553,6 +1211,61 @@ sudo (1.8.17p1-1) unstable; urgency=low
5531211
554 -- Bdale Garbee <bdale@gag.com> Tue, 05 Jul 2016 16:01:55 +02001212 -- Bdale Garbee <bdale@gag.com> Tue, 05 Jul 2016 16:01:55 +0200
5551213
1214sudo (1.8.16-0ubuntu3) yakkety; urgency=medium
1215
1216 * debian/sudoers:
1217 - include /snap/bin in the secure_path (LP: #1595558)
1218
1219 -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 15 Aug 2016 18:08:34 +0200
1220
1221sudo (1.8.16-0ubuntu2) yakkety; urgency=medium
1222
1223 * debian/patches/lp1565567.patch: fix crash when looking up a negative
1224 cached entry which is stored as a NULL passwd or group struct pointer
1225 in plugins/sudoers/pwutil.c. (LP: #1565567)
1226
1227 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 04 May 2016 11:31:55 -0400
1228
1229sudo (1.8.16-0ubuntu1) xenial; urgency=medium
1230
1231 * Update to new upstream version 1.8.16. (LP: #1563825)
1232 - Dropped patches no longer needed:
1233 + CVE-2015-5602-6.patch
1234 + CVE-2015-5602-7.patch
1235 * Merge from Debian unstable. Remaining changes:
1236 - Use tmpfs location to store timestamp files
1237 + debian/rules: change --with-rundir to /var/run/sudo
1238 + debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
1239 shipping init script and service file, as they are no longer
1240 necessary.
1241 + debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old
1242 init script with dpkg-maintscript-helper.
1243 + debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
1244 transition code, remove old /var/lib/sudo/ts timestamp directory.
1245 - debian/rules:
1246 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
1247 + install man/man8/sudo_root.8 in both flavours
1248 + install apport hooks
1249 - debian/sudoers:
1250 + also grant admin group sudo access
1251 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
1252 + add usr/share/apport/package-hooks
1253 - debian/sudo.pam:
1254 + Use pam_env to read /etc/environment and /etc/default/locale
1255 environment files. Reading ~/.pam_environment is not permitted due to
1256 security reasons.
1257 - debian/control:
1258 + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command
1259 - Remaining patches:
1260 + keep_home_by_default.patch: Keep HOME in the default environment
1261 + debian/patches/also_check_sudo_group.diff: also check the sudo group
1262 in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
1263 admin group check for backwards compatibility.
1264 - Dropped patches no longer needed:
1265 + debian/patches/pam_check_untranslated_prompt.patch: upstream.
1266
1267 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 30 Mar 2016 08:03:52 -0400
1268
556sudo (1.8.15-1.1) unstable; urgency=medium1269sudo (1.8.15-1.1) unstable; urgency=medium
5571270
558 * Non-maintainer upload1271 * Non-maintainer upload
@@ -570,6 +1283,58 @@ sudo (1.8.15-1) unstable; urgency=low
5701283
571 -- Bdale Garbee <bdale@gag.com> Wed, 23 Dec 2015 11:15:22 -07001284 -- Bdale Garbee <bdale@gag.com> Wed, 23 Dec 2015 11:15:22 -0700
5721285
1286sudo (1.8.12-1ubuntu3) wily; urgency=medium
1287
1288 * debian/patches/pam_check_untranslated_prompt.patch: also check the un-
1289 translated version of the prompt when checking if the PAM prompt matches
1290 "Password:". Patch from Joel Pelaez Jorge. (LP: #1414303)
1291
1292 -- Mathieu Trudel-Lapierre <mathieu-tl@ubuntu.com> Tue, 22 Sep 2015 11:57:43 -0400
1293
1294sudo (1.8.12-1ubuntu2) wily; urgency=medium
1295
1296 * Use tmpfs location to store timestamp files (LP: #1458031)
1297 - debian/rules: change --with-rundir to /var/run/sudo
1298 - debian/rules, debian/sudo.service, debian/sudo.sudo.init: stop
1299 shipping init script and service file, as they are no longer
1300 necessary.
1301 - debian/*.preinst, debian/*.postinst, debian/*.postrm: remove old init
1302 script with dpkg-maintscript-helper.
1303 - debian/*.postinst: remove old /var/run/sudo to /var/lib/sudo
1304 transition code, remove old /var/lib/sudo/ts timestamp directory.
1305
1306 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 05 Jun 2015 09:31:38 -0400
1307
1308sudo (1.8.12-1ubuntu1) wily; urgency=medium
1309
1310 * Merge from Debian unstable. (LP: #1451274, LP: #1219337)
1311 Remaining changes:
1312 - debian/rules:
1313 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
1314 + install man/man8/sudo_root.8 in both flavours
1315 + install apport hooks
1316 - debian/sudoers:
1317 + also grant admin group sudo access
1318 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
1319 + add usr/share/apport/package-hooks
1320 - debian/sudo.pam:
1321 + Use pam_env to read /etc/environment and /etc/default/locale
1322 environment files. Reading ~/.pam_environment is not permitted due to
1323 security reasons.
1324 - debian/control:
1325 + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command
1326 - Remaining patches:
1327 + keep_home_by_default.patch: Keep HOME in the default environment
1328 + debian/patches/also_check_sudo_group.diff: also check the sudo group
1329 in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
1330 admin group check for backwards compatibility.
1331 * Dropped patches no longer needed:
1332 + add_probe_interfaces_setting.diff
1333 + actually-use-buildflags.diff
1334 + CVE-2014-9680.patch
1335
1336 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 13 May 2015 15:43:49 -0400
1337
573sudo (1.8.12-1) unstable; urgency=low1338sudo (1.8.12-1) unstable; urgency=low
5741339
575 * new upstream version, closes: #772707, #7733831340 * new upstream version, closes: #772707, #773383
@@ -612,6 +1377,64 @@ sudo (1.8.10p3-1) unstable; urgency=low
6121377
613 -- Bdale Garbee <bdale@gag.com> Sun, 14 Sep 2014 10:20:15 -06001378 -- Bdale Garbee <bdale@gag.com> Sun, 14 Sep 2014 10:20:15 -0600
6141379
1380sudo (1.8.9p5-1ubuntu5) vivid; urgency=medium
1381
1382 * SECURITY UPDATE: arbitrary file access via TZ
1383 - debian/patches/CVE-2014-9680.patch: sanity check TZ env variable in
1384 configure, configure.ac, doc/sudoers.cat, doc/sudoers.man.in,
1385 doc/sudoers.mdoc.in, m4/sudo.m4, pathnames.h.in,
1386 plugins/sudoers/env.c.
1387 - CVE-2014-9680
1388
1389 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 12 Mar 2015 10:45:21 -0400
1390
1391sudo (1.8.9p5-1ubuntu4) vivid; urgency=medium
1392
1393 * Correct sudo.pam use "session" for pam_env.so, not "auth". (LP:
1394 #155794, LP: #25700)
1395
1396 -- Dimitri John Ledkov <dimitri.j.ledkov@linux.intel.com> Tue, 23 Dec 2014 04:08:33 +0000
1397
1398sudo (1.8.9p5-1ubuntu3) vivid; urgency=medium
1399
1400 * debian/patches/also_check_sudo_group.diff: also check the sudo group
1401 in plugins/sudoers/sudoers.c to create the admin flag file. Leave the
1402 admin group check for backwards compatibility. (LP: #1387347)
1403
1404 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 29 Oct 2014 15:55:34 -0400
1405
1406sudo (1.8.9p5-1ubuntu2) utopic; urgency=medium
1407
1408 * debian/sudo_root.8: mention sudo group instead of deprecated group
1409 admin (LP: #1130643)
1410
1411 -- Andrey Bondarenko <abondarenko@users.sourceforge.net> Sat, 23 Aug 2014 01:18:05 +0600
1412
1413sudo (1.8.9p5-1ubuntu1) trusty; urgency=low
1414
1415 * Merge from Debian unstable. Remaining changes:
1416 - debian/rules:
1417 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
1418 + install man/man8/sudo_root.8 in both flavours
1419 + install apport hooks
1420 - debian/sudoers:
1421 + also grant admin group sudo access
1422 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
1423 + add usr/share/apport/package-hooks
1424 - debian/sudo.pam:
1425 + Use pam_env to read /etc/environment and /etc/default/locale
1426 environment files. Reading ~/.pam_environment is not permitted due to
1427 security reasons.
1428 - debian/control:
1429 + dh-autoreconf dependency fixes missing-build-dependency-for-dh_-command
1430 - Remaining patches:
1431 + keep_home_by_default.patch: Keep HOME in the default environment
1432 + actually-use-buildflags: Pass LDFLAGS everywhere
1433 + add_probe_interfaces_setting.diff: option to disable network inf probe
1434 * add_probe_interfaces_setting.diff: fix to not modify NEWS file.
1435
1436 -- Chris J Arges <chris.j.arges@ubuntu.com> Mon, 10 Feb 2014 12:21:53 -0600
1437
615sudo (1.8.9p5-1) unstable; urgency=low1438sudo (1.8.9p5-1) unstable; urgency=low
6161439
617 * new upstream release, closes: #7353281440 * new upstream release, closes: #735328
@@ -658,6 +1481,33 @@ sudo (1.8.8-3) unstable; urgency=low
6581481
659 -- Bdale Garbee <bdale@gag.com> Wed, 30 Oct 2013 10:33:44 -06001482 -- Bdale Garbee <bdale@gag.com> Wed, 30 Oct 2013 10:33:44 -0600
6601483
1484sudo (1.8.8-2ubuntu2) trusty; urgency=medium
1485
1486 * Build using dh-autoreconf.
1487
1488 -- Matthias Klose <doko@ubuntu.com> Sun, 15 Dec 2013 16:24:49 +0100
1489
1490sudo (1.8.8-2ubuntu1) trusty; urgency=low
1491
1492 * Merge from Debian unstable. Remaining changes:
1493 - debian/rules:
1494 + compile with --without-lecture --with-tty-tickets --enable-admin-flag
1495 + install man/man8/sudo_root.8 in both flavours
1496 + install apport hooks
1497 - debian/sudoers:
1498 + also grant admin group sudo access
1499 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
1500 + add usr/share/apport/package-hooks
1501 - debian/sudo.pam:
1502 + Use pam_env to read /etc/environment and /etc/default/locale
1503 environment files. Reading ~/.pam_environment is not permitted due to
1504 security reasons.
1505 - Remaining patches:
1506 + keep_home_by_default.patch: Keep HOME in the default environment
1507 + actually-use-buildflags: Pass LDFLAGS everywhere
1508
1509 -- Stéphane Graber <stgraber@ubuntu.com> Tue, 22 Oct 2013 17:43:37 -0400
1510
661sudo (1.8.8-2) unstable; urgency=low1511sudo (1.8.8-2) unstable; urgency=low
6621512
663 * fix touch errors on boot, closes: #7251931513 * fix touch errors on boot, closes: #725193
@@ -713,6 +1563,72 @@ sudo (1.8.7-1) unstable; urgency=low
7131563
714 -- Bdale Garbee <bdale@gag.com> Wed, 14 Aug 2013 00:01:14 +02001564 -- Bdale Garbee <bdale@gag.com> Wed, 14 Aug 2013 00:01:14 +0200
7151565
1566sudo (1.8.6p3-0ubuntu3) raring; urgency=low
1567
1568 * SECURITY UPDATE: authentication bypass via clock set to epoch
1569 - debian/patches/CVE-2013-1775.patch: ignore time stamp file if it is
1570 set to epoch in plugins/sudoers/check.c.
1571 - CVE-2013-1775
1572
1573 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Wed, 27 Feb 2013 13:26:26 -0500
1574
1575sudo (1.8.6p3-0ubuntu2) raring; urgency=low
1576
1577 * The latest sssd upload dropped the soname from libsss_sudo.so, so we
1578 can now drop our sudo delta and just use libsss_sudo.so directly.
1579
1580 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 07 Dec 2012 23:11:45 -0500
1581
1582sudo (1.8.6p3-0ubuntu1) raring; urgency=low
1583
1584 * New upstream release (1.8.6p3).
1585 * Add patch to fix building with sssd when ldap is disabled.
1586 * Drop sudo.manpages and sudo-ldap.manpages as the upstream build system
1587 now does the right thing here.
1588 * Build the main sudo package with support for sssd, this doesn't add any
1589 additional build time or runtime dependency. sudo will dynamically load
1590 the sssd library if 'sss' is listed for the 'sudoers' nss service.
1591
1592 -- Stéphane Graber <stgraber@ubuntu.com> Fri, 16 Nov 2012 09:31:32 -0500
1593
1594sudo (1.8.5p2-1ubuntu1) quantal; urgency=low
1595
1596 * Merge from debian/testing (LP: #1024154), remaining changes:
1597 - debian/patches/keep_home_by_default.patch:
1598 + Set HOME in initial_keepenv_table.
1599 - debian/rules:
1600 + compile with --without-lecture --with-tty-tickets (Ubuntu specific)
1601 + install man/man8/sudo_root.8 in both flavours (Ubuntu specific)
1602 + install apport hooks
1603 + The ubuntu-sudo-as-admin-successful.patch was taken upstream by
1604 Debian however it requires a --enable-admin-flag configure flag to
1605 actually enable it in both flavours.
1606 - debian/control:
1607 + Mark Debian Vcs-* as XS-Debian-Vcs-*
1608 + update debian/control
1609 - debian/sudoers:
1610 + grant admin group sudo access
1611 - debian/source_sudo.py, debian/sudo-ldap.dirs, debian/sudo.dirs:
1612 + add usr/share/apport/package-hooks
1613 - debian/sudo.pam:
1614 + Use pam_env to read /etc/environment and /etc/default/locale
1615 environment files. Reading ~/.pam_environment is not permitted due to
1616 security reasons.
1617 * Dropped changes:
1618 - debian/patches/lp927828-fix-abort-in-pam-modules-when-timestamp-valid.patch
1619 + Fixed upstream in 1.8.5
1620 - debian/patches/CVE-2012-2337.patch:
1621 + Fixed upstream in 1.8.4p5
1622 - debian/patches/pam_env_merge.patch:
1623 + Feature released upstream in 1.8.5
1624 - debian/{sudo,sudo-ldap}.{preinst,postinst,postrm}:
1625 + Drop Ubuntu-specific sudoers file migration code because the only
1626 upgrade path to quantal is from precise. All necessary sudoers file
1627 migration will have already been done by the time this version of the
1628 sudo package is installed.
1629
1630 -- Tyler Hicks <tyhicks@canonical.com> Mon, 16 Jul 2012 14:01:42 +0200
1631
716sudo (1.8.5p2-1) unstable; urgency=low1632sudo (1.8.5p2-1) unstable; urgency=low
7171633
718 * new upstream version1634 * new upstream version
@@ -723,6 +1639,54 @@ sudo (1.8.5p2-1) unstable; urgency=low
7231639
724 -- Bdale Garbee <bdale@gag.com> Thu, 28 Jun 2012 12:01:37 -06001640 -- Bdale Garbee <bdale@gag.com> Thu, 28 Jun 2012 12:01:37 -0600
7251641
1642sudo (1.8.3p2-1ubuntu2) quantal; urgency=low
1643
1644 * debian/patches/pam_env_merge.patch: Merge the PAM environment into the
1645 user environment (LP: #982684)
1646 * debian/sudo.pam: Use pam_env to read /etc/environment and
1647 /etc/default/locale environment files. Reading ~/.pam_environment is not
1648 permitted due to security reasons.
1649
1650 -- Tyler Hicks <tyhicks@canonical.com> Mon, 21 May 2012 00:48:10 -0500
1651
1652sudo (1.8.3p2-1ubuntu1) quantal; urgency=low
1653
1654 * Merge from debian/testing, remaining changes:
1655 - debian/patches/keep_home_by_default.patch:
1656 + Set HOME in initial_keepenv_table. (rebased for 1.8.3p1)
1657 - debian/patches/lp927828-fix-abort-in-pam-modules-when-timestamp-valid.patch
1658 + Fix Abort in some PAM modules when timestamp is valid. (LP: #927828)
1659 - debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4
1660 addresses. Based on upstream patch.
1661 - debian/rules:
1662 + compile with --without-lecture --with-tty-tickets (Ubuntu specific)
1663 + install man/man8/sudo_root.8 in both flavours (Ubuntu specific)
1664 + install apport hooks
1665 + The ubuntu-sudo-as-admin-successful.patch was taken upstream by
1666 Debian however it requires a --enable-admin-flag configure flag to
1667 actually enable it in both flavours.
1668 - debian/control:
1669 + Mark Debian Vcs-* as XS-Debian-Vcs-*
1670 + update debian/control
1671 - debian/sudoers:
1672 + grant admin group sudo access
1673 - debian/sudo-ldap.dirs, debian/sudo.dirs:
1674 + add usr/share/apport/package-hooks
1675 - debian/sudo.preinst:
1676 + avoid conffile prompt by checking for known default /etc/sudoers
1677 and if found installing the correct default /etc/sudoers file.
1678 Modified for updated default sudoers. Aproach taken is different
1679 from Debian. Maybe this should now be dropped, since an LTS was
1680 released.
1681
1682 * Dropped changes:
1683 - debian/patches/CVE-2012-0809.patch:
1684 + dropped, included in this new upstream release.
1685 - debian/patches/enable_badpass.patch:
1686 + dropped as Debian chose to set this by default in the sudoers.
1687
1688 -- Dmitrijs Ledkovs <dmitrij.ledkov@ubuntu.com> Tue, 01 May 2012 16:12:45 +0100
1689
726sudo (1.8.3p2-1) unstable; urgency=high1690sudo (1.8.3p2-1) unstable; urgency=high
7271691
728 * new upstream version, closes: #657985 (CVE-2012-0809)1692 * new upstream version, closes: #657985 (CVE-2012-0809)
@@ -753,6 +1717,66 @@ sudo (1.8.3p1-2) unstable; urgency=low
7531717
754 -- Bdale Garbee <bdale@gag.com> Sat, 12 Nov 2011 16:27:13 -07001718 -- Bdale Garbee <bdale@gag.com> Sat, 12 Nov 2011 16:27:13 -0700
7551719
1720sudo (1.8.3p1-1ubuntu5) quantal; urgency=low
1721
1722 * SECURITY UPDATE: Properly handle netmasks in sudoers Host and Host_List
1723 values (LP: #1000276)
1724 - debian/patches/CVE-2012-2337.patch: Don't perform IPv6 checks on IPv4
1725 addresses. Based on upstream patch.
1726 - CVE-2012-2337
1727
1728 -- Tyler Hicks <tyhicks@canonical.com> Wed, 16 May 2012 09:42:17 -0500
1729
1730sudo (1.8.3p1-1ubuntu4) quantal; urgency=low
1731
1732 * Fix Abort in some PAM modules when timestamp is valid. (LP: #927828)
1733
1734 -- TJ (Ubuntu Contributions) <ubuntu@tjworld.net> Mon, 30 Apr 2012 17:55:27 +0100
1735
1736sudo (1.8.3p1-1ubuntu3) precise; urgency=low
1737
1738 * SECURITY UPDATE: permissions bypass via format string
1739 - debian/patches/CVE-2012-0809.patch: fix format string vulnerability
1740 in src/sudo.c.
1741 - CVE-2012-0809
1742
1743 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Tue, 31 Jan 2012 10:25:52 -0500
1744
1745sudo (1.8.3p1-1ubuntu2) precise; urgency=low
1746
1747 * debian/sudo.preinst:
1748 - updated to avoid conffile prompt by migrating to the new sudoers file
1749 changes in Precise. (LP: #894410)
1750
1751 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Thu, 24 Nov 2011 10:48:58 -0500
1752
1753sudo (1.8.3p1-1ubuntu1) precise; urgency=low
1754
1755 * Merge from debian/testing, remaining changes:
1756 - debian/patches/keep_home_by_default.patch:
1757 + Set HOME in initial_keepenv_table. (rebased for 1.8.3p1)
1758 - debian/patches/enable_badpass.patch: turn on "mail_badpass" by default:
1759 + attempting sudo without knowing a login password is as bad as not
1760 being listed in the sudoers file, especially if getting the password
1761 wrong means doing the access-check-email-notification never happens
1762 (rebased for 1.8.3p1)
1763 - debian/rules:
1764 + compile with --without-lecture --with-tty-tickets (Ubuntu specific)
1765 + install man/man8/sudo_root.8 (Ubuntu specific)
1766 + install apport hooks
1767 + The ubuntu-sudo-as-admin-successful.patch was taken upstream by
1768 Debian however it requires a --enable-admin-flag configure flag to
1769 actually enable it.
1770 - debian/sudoers:
1771 + grant admin group sudo access
1772 - debian/sudo-ldap.dirs, debian/sudo.dirs:
1773 + add usr/share/apport/package-hooks
1774 - debian/sudo.preinst:
1775 + avoid conffile prompt by checking for known default /etc/sudoers
1776 and if found installing the correct default /etc/sudoers file
1777
1778 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sun, 20 Nov 2011 12:07:45 -0500
1779
756sudo (1.8.3p1-1) unstable; urgency=low1780sudo (1.8.3p1-1) unstable; urgency=low
7571781
758 * new upstream version, closes: #6464781782 * new upstream version, closes: #646478
@@ -795,6 +1819,33 @@ sudo (1.8.2-1) unstable; urgency=low
7951819
796 -- Bdale Garbee <bdale@gag.com> Wed, 24 Aug 2011 13:33:11 -06001820 -- Bdale Garbee <bdale@gag.com> Wed, 24 Aug 2011 13:33:11 -0600
7971821
1822sudo (1.7.4p6-1ubuntu2) oneiric; urgency=low
1823
1824 * debian/patches/enable_badpass.patch: turn on "mail_badpass" by default:
1825 - attempting sudo without knowing a login password is as bad as not
1826 being listed in the sudoers file, especially if getting the password
1827 wrong means doing the access-check-email-notification never happens
1828 (Closes: 641218).
1829
1830 -- Kees Cook <kees@ubuntu.com> Sun, 11 Sep 2011 10:29:08 -0700
1831
1832sudo (1.7.4p6-1ubuntu1) oneiric; urgency=low
1833
1834 * Merge from debian/unstable, remaining changes:
1835 - debian/patches/keep_home_by_default.patch:
1836 + Set HOME in initial_keepenv_table.
1837 - debian/rules:
1838 + compile with --without-lecture --with-tty-tickets (Ubuntu specific)
1839 + install man/man8/sudo_root.8 (Ubuntu specific)
1840 + install apport hooks
1841 - debian/sudoers:
1842 + grant admin group sudo access
1843 - debian/sudo-ldap.dirs, debian/sudo.dirs:
1844 + add usr/share/apport/package-hooks
1845 * drop debian/patches/CVE-2011-0010.patch, applied upstream now
1846
1847 -- Michael Vogt <michael.vogt@ubuntu.com> Mon, 23 May 2011 09:50:37 +0200
1848
798sudo (1.7.4p6-1) unstable; urgency=low1849sudo (1.7.4p6-1) unstable; urgency=low
7991850
800 * new upstream version1851 * new upstream version
@@ -811,6 +1862,77 @@ sudo (1.7.4p4-6) unstable; urgency=low
8111862
812 -- Bdale Garbee <bdale@gag.com> Tue, 11 Jan 2011 10:22:39 -07001863 -- Bdale Garbee <bdale@gag.com> Tue, 11 Jan 2011 10:22:39 -0700
8131864
1865sudo (1.7.4p4-5ubuntu8) oneiric; urgency=low
1866
1867 * debian/sudo.preinst:
1868 - if well-known ec2 vmbuilder file is found, write a file in
1869 sudoers.d for the 'ubuntu' user (LP: #768625)
1870
1871 -- Scott Moser <smoser@ubuntu.com> Thu, 21 Apr 2011 18:04:34 -0400
1872
1873sudo (1.7.4p4-5ubuntu7) natty; urgency=low
1874
1875 * debian/sudo.preinst:
1876 - do not consider the ec2 vmbuilder default sudoers file
1877 verbatim as its actually customized (LP: #761689)
1878
1879 -- Michael Vogt <michael.vogt@ubuntu.com> Fri, 15 Apr 2011 16:40:10 +0200
1880
1881sudo (1.7.4p4-5ubuntu6) natty; urgency=low
1882
1883 * debian/patches/keep_home_by_default.patch: Set HOME in
1884 initial_keepenv_table. LP: #760140
1885
1886 -- Steve Langasek <steve.langasek@ubuntu.com> Wed, 13 Apr 2011 12:32:25 -0700
1887
1888sudo (1.7.4p4-5ubuntu5) natty; urgency=low
1889
1890 * debian/sudo.preinst:
1891 - avoid conffile prompt by checking for known default /etc/sudoers
1892 and if found installing the correct default /etc/sudoers file
1893 (LP: #690873)
1894
1895 -- Michael Vogt <michael.vogt@ubuntu.com> Fri, 25 Mar 2011 09:13:43 +0100
1896
1897sudo (1.7.4p4-5ubuntu4) natty; urgency=low
1898
1899 * debian/rules: The ubuntu-sudo-as-admin-successful.patch was taken
1900 upstream by Debian however it requires a --enable-admin-flag configure
1901 flag to actually enable it.
1902 (LP: #706045)
1903
1904 -- Bryce Harrington <bryce@ubuntu.com> Thu, 10 Feb 2011 12:01:53 -0800
1905
1906sudo (1.7.4p4-5ubuntu3) natty; urgency=low
1907
1908 * SECURITY UPDATE: privilege escalation via -g when using group Runas_List
1909 - debian/patches/CVE-2011-0010.patch: prompt for password when the user is
1910 running sudo as himself but as a different group
1911 - CVE-2011-0010
1912
1913 -- Jamie Strandboge <jamie@ubuntu.com> Tue, 18 Jan 2011 16:37:09 -0600
1914
1915sudo (1.7.4p4-5ubuntu2) natty; urgency=low
1916
1917 * debian/sudoers: temporarily workaround LP #690873 by adding %admin
1918 into the default sudoers file in case people just say "yes" to the
1919 dpkg conffile prompt.
1920
1921 -- Kees Cook <kees@ubuntu.com> Wed, 15 Dec 2010 15:38:17 -0800
1922
1923sudo (1.7.4p4-5ubuntu1) natty; urgency=low
1924
1925 * Merge from debian unstable (LP: #689025), remaining changes:
1926 - debian/rules:
1927 + compile with --without-lecture --with-tty-tickets (Ubuntu specific)
1928 + install man/man8/sudo_root.8 (Ubuntu specific)
1929 + install apport hooks
1930 - debian/sudo-ldap.dirs, debian/sudo.dirs: add
1931 usr/share/apport/package-hooks
1932 * This upload also fixes: LP: #609645
1933
1934 -- Lorenzo De Liso <blackz@ubuntu.com> Wed, 15 Dec 2010 21:32:57 +0100
1935
814sudo (1.7.4p4-5) unstable; urgency=low1936sudo (1.7.4p4-5) unstable; urgency=low
8151937
816 * patch from Jakub Wilk to add noopt and nostrip build option support,1938 * patch from Jakub Wilk to add noopt and nostrip build option support,
@@ -864,6 +1986,47 @@ sudo (1.7.4p4-1) unstable; urgency=high
8641986
865 -- Bdale Garbee <bdale@gag.com> Tue, 07 Sep 2010 12:22:42 -06001987 -- Bdale Garbee <bdale@gag.com> Tue, 07 Sep 2010 12:22:42 -0600
8661988
1989sudo (1.7.2p7-1ubuntu3) natty; urgency=low
1990
1991 * No-change upload to drop sizable upstream changelog.
1992
1993 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 22 Nov 2010 11:24:33 +0100
1994
1995sudo (1.7.2p7-1ubuntu2) maverick; urgency=low
1996
1997 * SECURITY UPDATE: privilege escalation via '-g' option when using
1998 'user:group' in Runas_Spec
1999 - debian/patches/CVE-2010-2956.patch: update match.c to verify both user
2000 and group match sudoers when using '-g'
2001 - CVE-2010-2956
2002
2003 -- Jamie Strandboge <jamie@ubuntu.com> Tue, 31 Aug 2010 14:54:06 -0500
2004
2005sudo (1.7.2p7-1ubuntu1) maverick; urgency=low
2006
2007 * Merge from debian unstable. Remaining changes:
2008 - debian/rules:
2009 - compile with --without-lecture --with-tty-tickets (Ubuntu specific)
2010 - install man/man8/sudo_root.8 (Ubuntu specific)
2011 - install apport hooks
2012 - debian/sudo-ldap.dirs, debian/sudo.dirs: add
2013 usr/share/apport/package-hooks
2014 - debian/patches/ubuntu-sudo-as-admin-successful.patch: adjust sudo.c so
2015 that if the user successfully authenticated and he is in the 'admin'
2016 group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
2017 profile checks for this and displays a short intro about sudo if the flag
2018 is not present
2019 * Dropped the following, now included upstream:
2020 - fix for CVE-2010-1163
2021 - fix for CVE-2010-0426
2022 - debian/sudo.postinst, debian/sudo-ldap.postinst: update description to
2023 match behavior in sudoers file
2024 - don't install init script. Debian moved to /var/lib/sudo from
2025 /var/run/sudo, so Ubuntu's tmpfs usage won't clean those out
2026 automatically any more, so we now need the initscript.
2027
2028 -- Jamie Strandboge <jamie@ubuntu.com> Tue, 06 Jul 2010 11:43:05 -0500
2029
867sudo (1.7.2p7-1) unstable; urgency=high2030sudo (1.7.2p7-1) unstable; urgency=high
8682031
869 * new upstream release with security fix for secure path (CVE-2010-1646),2032 * new upstream release with security fix for secure path (CVE-2010-1646),
@@ -899,6 +2062,62 @@ sudo (1.7.2p5-1) unstable; urgency=low
8992062
900 -- Bdale Garbee <bdale@gag.com> Thu, 11 Mar 2010 15:44:53 -07002063 -- Bdale Garbee <bdale@gag.com> Thu, 11 Mar 2010 15:44:53 -0700
9012064
2065sudo (1.7.2p1-1ubuntu5) lucid; urgency=low
2066
2067 * SECURITY UPDATE: properly verify path in find_path.c for the 'sudoedit'
2068 pseudo-command when running from the current working directory and
2069 secure_path is disabled
2070 - CVE-2010-XXXX
2071
2072 -- Jamie Strandboge <jamie@ubuntu.com> Wed, 07 Apr 2010 15:35:36 -0500
2073
2074sudo (1.7.2p1-1ubuntu4) lucid; urgency=low
2075
2076 * env.c: Revert addition of "http_proxy" again. This was an Ubuntu specific
2077 EBW hack, caused inconsistencies with other proxy variables (such as
2078 https_proxy and ftp_proxy), made sudo incompatible to upstream
2079 behaviour/documentation. This is solved in a much better way in apt itself
2080 and gnome-network-properties now. (LP: #432631)
2081
2082 -- Martin Pitt <martin.pitt@ubuntu.com> Fri, 26 Mar 2010 18:48:18 +0100
2083
2084sudo (1.7.2p1-1ubuntu3) lucid; urgency=low
2085
2086 * debian/sudo.postinst, debian/sudo-ldap.postinst: update description to
2087 match behaviour in sudoers file. (LP: #534090)
2088
2089 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Sun, 07 Mar 2010 19:49:39 -0500
2090
2091sudo (1.7.2p1-1ubuntu2) lucid; urgency=low
2092
2093 * SECURITY UPDATE: properly verify path for the 'sudoedit' pseudo-command
2094 in match.c
2095 - http://sudo.ws/repos/sudo/rev/88f3181692fe
2096 - CVE-2010-0426
2097
2098 -- Jamie Strandboge <jamie@ubuntu.com> Wed, 24 Feb 2010 16:50:11 -0600
2099
2100sudo (1.7.2p1-1ubuntu1) lucid; urgency=low
2101
2102 * Merge from debian testing. Remaining changes:
2103 - debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu
2104 specific)
2105 - Add debian/sudo_root.8: Explanation of root handling through sudo.
2106 Install it in debian/rules. (Ubuntu specific)
2107 - sudo.c: If the user successfully authenticated and he is in the 'admin'
2108 group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
2109 profile checks for this and displays a short intro about sudo if the
2110 flag is not present. (Ubuntu specific)
2111 - env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept
2112 for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at
2113 some point)
2114 - debian/{rules,postinst,sudo-ldap.postinst}: Disable init script
2115 installation. Debian reintroduced it because /var/run tmpfs is not the
2116 default there, but has been on Ubuntu for ages.
2117 - debian/{source_sudo.py,rules,sudo-ldap.dirs,sudo.dirs}: Add apport hook
2118
2119 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Mon, 08 Feb 2010 18:47:06 -0500
2120
902sudo (1.7.2p1-1) unstable; urgency=low2121sudo (1.7.2p1-1) unstable; urgency=low
9032122
904 * new upstream version2123 * new upstream version
@@ -926,6 +2145,40 @@ sudo (1.7.2-1) unstable; urgency=low
9262145
927 -- Bdale Garbee <bdale@gag.com> Wed, 15 Jul 2009 01:29:46 -06002146 -- Bdale Garbee <bdale@gag.com> Wed, 15 Jul 2009 01:29:46 -0600
9282147
2148sudo (1.7.0-1ubuntu3) lucid; urgency=low
2149
2150 * debian/{source_sudo.py,rules}: Add apport hook
2151
2152 -- Marc Deslauriers <marc.deslauriers@ubuntu.com> Fri, 29 Jan 2010 09:31:00 -0500
2153
2154sudo (1.7.0-1ubuntu2) karmic; urgency=low
2155
2156 * env.c: add logic similar to pam_env's stripping of single and double
2157 quotes around /etc/environment env vars; fixes literal quotes in LANG when
2158 using sudo -i; LP: #387262.
2159
2160 -- Loïc Minier <loic.minier@ubuntu.com> Mon, 22 Jun 2009 18:03:45 +0200
2161
2162sudo (1.7.0-1ubuntu1) karmic; urgency=low
2163
2164 * Merge from debian unstable, remaining changes:
2165 - debian/rules: Disable lecture, enable tty_tickets by default. (Ubuntu
2166 specific)
2167 - Add debian/sudo_root.8: Explanation of root handling through sudo.
2168 Install it in debian/rules. (Ubuntu specific)
2169 - sudo.c: If the user successfully authenticated and he is in the 'admin'
2170 group, then create a stamp ~/.sudo_as_admin_successful. Our default bash
2171 profile checks for this and displays a short intro about sudo if the
2172 flag is not present. (Ubuntu specific)
2173 - env.c: Add "http_proxy" to initial_keepenv_table, so that it is kept
2174 for "sudo apt-get ...". (Ubuntu specific EBW hack, should disappear at
2175 some point)
2176 - debian/{rules,postinst,sudo-ldap.postinst}: Disable init script
2177 installation. Debian reintroduced it because /var/run tmpfs is not the
2178 default there, but has been on Ubuntu for ages.
2179
2180 -- Martin Pitt <martin.pitt@ubuntu.com> Mon, 11 May 2009 18:07:03 +0200
2181
929sudo (1.7.0-1) unstable; urgency=low2182sudo (1.7.0-1) unstable; urgency=low
9302183
931 * new upstream version, closes: #510179, #128268, #520274, #5085142184 * new upstream version, closes: #510179, #128268, #520274, #508514
diff --git a/debian/control b/debian/control
index b5a73de..92387f8 100644
--- a/debian/control
+++ b/debian/control
@@ -1,7 +1,8 @@
1Source: sudo1Source: sudo
2Section: admin2Section: admin
3Priority: optional3Priority: optional
4Maintainer: Sudo Maintainers <sudo@packages.debian.org>4Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
5XSBC-Original-Maintainer: Sudo Maintainers <sudo@packages.debian.org>
5Uploaders: Marc Haber <mh+debian-packages@zugschlus.de>,6Uploaders: Marc Haber <mh+debian-packages@zugschlus.de>,
6 Hanno Wagner <wagner@debian.org>,7 Hanno Wagner <wagner@debian.org>,
7 Hilko Bengen <bengen@debian.org>,8 Hilko Bengen <bengen@debian.org>,
diff --git a/debian/etc/pam.d/sudo b/debian/etc/pam.d/sudo
index 96e8906..7819ab1 100644
--- a/debian/etc/pam.d/sudo
+++ b/debian/etc/pam.d/sudo
@@ -3,6 +3,9 @@
3# Set up user limits from /etc/security/limits.conf.3# Set up user limits from /etc/security/limits.conf.
4session required pam_limits.so4session required pam_limits.so
55
6session required pam_env.so readenv=1 user_readenv=0
7session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
8
6@include common-auth9@include common-auth
7@include common-account10@include common-account
8@include common-session-noninteractive11@include common-session-noninteractive
diff --git a/debian/etc/pam.d/sudo-i b/debian/etc/pam.d/sudo-i
index d638522..584b2d8 100644
--- a/debian/etc/pam.d/sudo-i
+++ b/debian/etc/pam.d/sudo-i
@@ -3,6 +3,9 @@
3# Set up user limits from /etc/security/limits.conf.3# Set up user limits from /etc/security/limits.conf.
4session required pam_limits.so4session required pam_limits.so
55
6session required pam_env.so readenv=1 user_readenv=0
7session required pam_env.so readenv=1 envfile=/etc/default/locale user_readenv=0
8
6@include common-auth9@include common-auth
7@include common-account10@include common-account
8@include common-session11@include common-session
diff --git a/debian/etc/sudoers b/debian/etc/sudoers
index b5da8e9..8b0fb7f 100644
--- a/debian/etc/sudoers
+++ b/debian/etc/sudoers
@@ -8,7 +8,7 @@
8#8#
9Defaults env_reset9Defaults env_reset
10Defaults mail_badpass10Defaults mail_badpass
11Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"11Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
1212
13# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu13# This fixes CVE-2005-4890 and possibly breaks some versions of kdesu
14# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)14# (#1011624, https://bugs.kde.org/show_bug.cgi?id=452532)
@@ -46,6 +46,9 @@ Defaults use_pty
46# User privilege specification46# User privilege specification
47root ALL=(ALL:ALL) ALL47root ALL=(ALL:ALL) ALL
4848
49# Members of the admin group may gain root privileges
50%admin ALL=(ALL) ALL
51
49# Allow members of group sudo to execute any command52# Allow members of group sudo to execute any command
50%sudo ALL=(ALL:ALL) ALL53%sudo ALL=(ALL:ALL) ALL
5154
diff --git a/debian/sudo-ldap.init b/debian/sudo-ldap.init
52deleted file mode 10064455deleted file mode 100644
index b907b8a..0000000
--- a/debian/sudo-ldap.init
+++ /dev/null
@@ -1,46 +0,0 @@
1#! /bin/sh
2
3### BEGIN INIT INFO
4# Provides: sudo-ldap
5# Required-Start: $local_fs $remote_fs
6# Required-Stop:
7# X-Start-Before: rmnologin
8# Default-Start: 2 3 4 5
9# Default-Stop:
10# Short-Description: Provide limited super user privileges to specific users
11# Description: Provide limited super user privileges to specific users.
12### END INIT INFO
13
14. /lib/lsb/init-functions
15
16N=/etc/init.d/sudo-ldap
17
18set -e
19
20case "$1" in
21 start)
22 # make sure privileges don't persist across reboots
23 # if the /run/sudo directory doesn't exist, let's create it with the
24 # correct permissions and SELinux label
25 if ! [ -d /run/systemd/system ] ; then
26 if [ -d /run/sudo ]
27 then
28 find /run/sudo -exec touch -d @0 '{}' \;
29 else
30 mkdir /run/sudo /run/sudo/ts
31 chown root:root /run/sudo /run/sudo/ts
32 chmod 0711 /run/sudo
33 chmod 0700 /run/sudo/ts
34 [ -x /sbin/restorecon ] && /sbin/restorecon /run/sudo /run/sudo/ts
35 fi
36 fi
37 ;;
38 stop|reload|restart|force-reload|status)
39 ;;
40 *)
41 echo "Usage: $N {start|stop|restart|force-reload|status}" >&2
42 exit 1
43 ;;
44esac
45
46exit 0
diff --git a/debian/sudo-ldap.manpages b/debian/sudo-ldap.manpages
47new file mode 1006440new file mode 100644
index 0000000..72826b8
--- /dev/null
+++ b/debian/sudo-ldap.manpages
@@ -0,0 +1 @@
1debian/sudo_root.8
diff --git a/debian/sudo.init b/debian/sudo.init
0deleted file mode 1006442deleted file mode 100644
index 602d9bf..0000000
--- a/debian/sudo.init
+++ /dev/null
@@ -1,46 +0,0 @@
1#! /bin/sh
2
3### BEGIN INIT INFO
4# Provides: sudo
5# Required-Start: $local_fs $remote_fs
6# Required-Stop:
7# X-Start-Before: rmnologin
8# Default-Start: 2 3 4 5
9# Default-Stop:
10# Short-Description: Provide limited super user privileges to specific users
11# Description: Provide limited super user privileges to specific users.
12### END INIT INFO
13
14. /lib/lsb/init-functions
15
16N=/etc/init.d/sudo
17
18set -e
19
20case "$1" in
21 start)
22 # make sure privileges don't persist across reboots
23 # if the /run/sudo directory doesn't exist, let's create it with the
24 # correct permissions and SELinux label
25 if ! [ -d /run/systemd/system ] ; then
26 if [ -d /run/sudo ]
27 then
28 find /run/sudo -exec touch -d @0 '{}' \;
29 else
30 mkdir /run/sudo /run/sudo/ts
31 chown root:root /run/sudo /run/sudo/ts
32 chmod 0711 /run/sudo
33 chmod 0700 /run/sudo/ts
34 [ -x /sbin/restorecon ] && /sbin/restorecon /run/sudo /run/sudo/ts
35 fi
36 fi
37 ;;
38 stop|reload|restart|force-reload|status)
39 ;;
40 *)
41 echo "Usage: $N {start|stop|restart|force-reload|status}" >&2
42 exit 1
43 ;;
44esac
45
46exit 0
diff --git a/debian/sudo.manpages b/debian/sudo.manpages
47new file mode 1006440new file mode 100644
index 0000000..72826b8
--- /dev/null
+++ b/debian/sudo.manpages
@@ -0,0 +1 @@
1debian/sudo_root.8
diff --git a/debian/sudo_root.8 b/debian/sudo_root.8
0new file mode 1006442new file mode 100644
index 0000000..47532ed
--- /dev/null
+++ b/debian/sudo_root.8
@@ -0,0 +1,138 @@
1.TH sudo_root 8 "February 8, 2006"
2
3.SH NAME
4sudo_root \- How to run administrative commands
5
6.SH SYNOPSIS
7
8.B sudo
9.I command
10
11.B sudo \-i
12
13.SH INTRODUCTION
14
15By default, the password for the user "root" (the system
16administrator) is locked. This means you cannot login as root or use
17su. Instead, the installer will set up sudo to allow the user that is
18created during install to run all administrative commands.
19
20This means that in the terminal you can use sudo for commands that
21require root privileges. All programs in the menu will use a graphical
22sudo to prompt for a password. When sudo asks for a password, it needs
23.B your password,
24this means that a root password is not needed.
25
26To run a command which requires root privileges in a terminal, simply
27prepend
28.B sudo
29in front of it. To get an interactive root shell, use
30.B sudo \-i\fR.
31
32.SH ALLOWING OTHER USERS TO RUN SUDO
33
34By default, only the user who installed the system is permitted to run
35sudo. To add more administrators, i. e. users who can run sudo, you
36have to add these users to the group 'sudo' by doing one of the
37following steps:
38
39.IP * 2
40In a shell, do
41
42.RS 4
43.B sudo adduser
44.I username
45.B sudo
46.RE
47
48.IP * 2
49Use the graphical "Users & Groups" program in the "System settings"
50menu to add the new user to the
51.B sudo
52group.
53
54.SH BENEFITS OF USING SUDO
55
56The benefits of leaving root disabled by default include the following:
57
58.IP * 2
59Users do not have to remember an extra password, which they are likely to forget.
60.IP * 2
61The installer is able to ask fewer questions.
62.IP * 2
63It avoids the "I can do anything" interactive login by default \- you
64will be prompted for a password before major changes can happen, which
65should make you think about the consequences of what you are doing.
66.IP * 2
67Sudo adds a log entry of the command(s) run (in \fB/var/log/auth.log\fR).
68.IP * 2
69Every attacker trying to brute\-force their way into your box will
70know it has an account named root and will try that first. What they
71do not know is what the usernames of your other users are.
72.IP * 2
73Allows easy transfer for admin rights, in a short term or long term
74period, by adding and removing users from the sudo group, while not
75compromising the root account.
76.IP * 2
77sudo can be set up with a much more fine\-grained security policy.
78.IP * 2
79On systems with more than one administrator using sudo avoids sharing
80a password amongst them.
81
82.SH DOWNSIDES OF USING SUDO
83
84Although for desktops the benefits of using sudo are great, there are
85possible issues which need to be noted:
86
87.IP * 2
88Redirecting the output of commands run with sudo can be confusing at
89first. For instance consider
90
91.RS 4
92.B sudo ls > /root/somefile
93.RE
94
95.RS 2
96will not work since it is the shell that tries to write to that file. You can use
97.RE
98
99.RS 4
100.B ls | sudo tee /root/somefile
101.RE
102
103.RS 2
104to get the behaviour you want.
105.RE
106
107.IP * 2
108In a lot of office environments the ONLY local user on a system is
109root. All other users are imported using NSS techniques such as
110nss\-ldap. To setup a workstation, or fix it, in the case of a network
111failure where nss\-ldap is broken, root is required. This tends to
112leave the system unusable. An extra local user, or an enabled root
113password is needed here.
114
115.SH GOING BACK TO A TRADITIONAL ROOT ACCOUNT
116
117.B This is not recommended!
118
119To enable the root account (i.e. set a password) use:
120
121.RS 4
122.B sudo passwd root
123.RE
124
125Afterwards, edit the sudo configuration with
126.B sudo visudo
127and comment out the line
128
129.RS 4
130%sudo ALL=(ALL) ALL
131.RE
132
133to disable sudo access to members of the sudo group.
134
135.SH SEE ALSO
136.BR sudo (8),
137.B https://wiki.ubuntu.com/RootSudo
138
diff --git a/debian/tests/04-getroot-sssd b/debian/tests/04-getroot-sssd
index bcafaf8..286c9ab 100755
--- a/debian/tests/04-getroot-sssd
+++ b/debian/tests/04-getroot-sssd
@@ -45,6 +45,17 @@ kill $(pidof slapd) 2>/dev/null || true
45sleep 145sleep 1
46printf "start slapd ... "46printf "start slapd ... "
47slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d47slapd -h "ldaps:/// ldapi:///" -g openldap -u openldap -F /etc/ldap/slapd.d
48
49# Workaround for autopkgtest failing on s390x. See LP: #2026888
50# slapd is not responding properly yet when ldapmodify is called
51retries=3
52while ! ldapwhoami -Y external -H ldapi:/// > /dev/null 2>&1 && [ $retries -gt 0 ]
53do
54 echo "slapd is not ready yet..."
55 retries=$(($retries-1))
56 sleep 1
57done
58
48# ldapsearch -x -LLL -s base -b "" namingContexts should work here59# ldapsearch -x -LLL -s base -b "" namingContexts should work here
49printf "set LDAP passwords"60printf "set LDAP passwords"
50ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null61ldapmodify -Y external -H ldapi:/// -f ${LDIFDIR}/tls.ldif 2>/dev/null
diff --git a/debian/tests/control b/debian/tests/control
index abea94c..75e51a0 100644
--- a/debian/tests/control
+++ b/debian/tests/control
@@ -6,11 +6,15 @@ Tests: 02-1003969-audit-no-resolve
6Depends: sudo6Depends: sudo
7Restrictions: needs-root7Restrictions: needs-root
88
9Tests: 03-getroot-ldap9# We cannot add 'sudo-ldap' as a Depends: as there is a removal conflict with
10Depends: sudo-ldap, adduser, slapd, ldap-utils, cron10# 'sudo' in Ubuntu and we need to pass the SUDO_FORCE_REMOVE env var to avoid
11Restrictions: needs-root11# this. Removing sudo conflicts with autopkgtest-virt-ssh, so we skip this test
12# (except for armhf/LXD containers). Needs more investigation...
13Test-Command: systemd-detect-virt -q --container || exit 77; env SUDO_FORCE_REMOVE=yes apt-get -y install sudo-ldap && debian/tests/03-getroot-ldap
14Depends: adduser, slapd, ldap-utils, cron
15Restrictions: needs-root, skippable
16Features: test-name=03-getroot-ldap
1217
13Tests: 04-getroot-sssd18Tests: 04-getroot-sssd
14Depends: sudo, adduser, slapd, ldap-utils, sssd-common, sssd-ldap, cron19Depends: sudo, adduser, slapd, ldap-utils, sssd-common, sssd-ldap, cron
15Restrictions: needs-root20Restrictions: needs-root
16

Subscribers

People subscribed via source and target branches