Update Sudo from 1.8.20p2 to 1.8.22 and make it FHS 3.0 compliant #623
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Make Sudo compatible with FHS 3.0. Newer systemd requires `/var/run` to be a symbolic link to `/run`, and will not bind mount `/var/run` as a tmpfs anymore, if the directory contains files. So configure Sudo to use `/run`. From the file `INSTALL`: > --with-rundir=DIR > Set the directory to be used for sudo-specific files that > do not survive a system reboot. This is typically where > the time stamp directory is located. By default, configure > will use the first existing directory in the following list: > /var/run, /var/db, /var/lib, /var/adm, /usr/adm > This directory should be cleared when the system reboots. > On systems that lack /var/run, the default rundir and vardir > may be the same. In this case, only the ts directory inside > the rundir needs to be cleared at boot time. [`/var/run` should be a symbolic link to `/run`.][1] From the [*Filesystem Hierarchy Standard 3.0* for `/var/run`][2]. > 5.13. /var/run : Run-time variable data > --------------------------------------- > > ### 5.13.1. Purpose ### > > This directory was once intended for system information data > describing the system since it was booted. These functions have been > moved to /run; this directory exists to ensure compatibility with > systems and software using an older version of this specification. For [`/run`][3]: > 3.15. /run : Run-time variable data > ----------------------------------- > > ### 3.15.1. Purpose ### > > The purposes of this directory were once served by /var/run. In > general, programs may continue to use /var/run to fulfill the > requirements set out for /run for the purposes of backwards > compatibility. Programs which have migrated to use /run should cease > their usage of /var/run, except as noted in the section on /var/run. [1]: https://lists.fedoraproject.org/pipermail/devel/2011-March/150031.html [2]: https://refspecs.linuxfoundation.org/FHS_3.0/fhs-3.0.html#varrunRuntimeVariableData [3]: https://refspecs.linuxfoundation.org/FHS_3.0/fhs-3.0.html#runRuntimeVariableData
The file [`NEWS`][1] contains the change-log. > What's new in Sudo 1.8.22 > > * Commands run in the background from a script run via sudo will > no longer receive SIGHUP when the parent exits and I/O logging > is enabled. Bug #502 > > * A particularly offensive insult is now disabled by default. > Bug #804 > > * The description of "sudo -i" now correctly documents that > the "env_keep" and "env_check" sudoers options are applied to > the environment. Bug #806 > > * Fixed a crash when the system's host name is not set. > Bug #807 > > * The sudoers2ldif script now handles #include and #includedir > directives. > > * Fixed a bug where sudo would silently exit when the command was > not allowed by sudoers and the "passwd_tries" sudoers option > was set to a value less than one. > > * Fixed a bug with the "listpw" and "verifypw" sudoers options and > multiple sudoers sources. If the option is set to "all", a > password should be required unless none of a user's sudoers > entries from any source require authentication. > > * Fixed a bug with the "listpw" and "verifypw" sudoers options in > the LDAP and SSSD back-ends. If the option is set to "any", and > the entry contained multiple rules, only the first matching rule > was checked. If an entry contained more than one matching rule > and the first rule required authentication but a subsequent rule > did not, sudo would prompt for a password when it should not have. > > * When running a command as the invoking user (not root), sudo > would execute the command with the same group vector it was > started with. Sudo now executes the command with a new group > vector based on the group database which is consistent with > how su(1) operates. > > * Fixed a double free in the SSSD back-end that could occur when > ipa_hostname is present in sssd.conf and is set to an unqualified > host name. > > * When I/O logging is enabled, sudo will now write to the terminal > even when it is a background process. Previously, sudo would > only write to the tty when it was the foreground process when > I/O logging was enabled. If the TOSTOP terminal flag is set, > sudo will suspend the command (and then itself) with the SIGTTOU > signal. > > * A new "authfail_message" sudoers option that overrides the > default "N incorrect password attempt(s)". > > * An empty sudoRunAsUser attribute in the LDAP and SSSD backends > will now match the invoking user. This is more consistent with > how an empty runas user in the sudoers file is treated. > > * Documented that in check mode, visudo does not check the owner/mode > on files specified with the -f flag. Bug #809. > > * It is now an error to specify the runas user as an empty string > on the command line. Previously, an empty runas user was treated > the same as an unspecified runas user. Bug #817. > > * When "timestamp_type" option is set to "tty" and a terminal is > present, the time stamp record will now include the start time > of the session leader. When the "timestamp_type" option is set > to "ppid" or when no terminal is available, the start time of > the parent process is used instead. This significantly reduces > the likelihood of a time stamp record being re-used when a user > logs out and back in again. Bug #818. > > * The sudoers time stamp file format is now documented in the new > sudoers_timestamp manual. > > * The "timestamp_type" option now takes a "kernel" value on OpenBSD > systems. This causes the tty-based time stamp to be stored in > the kernel instead of on the file system. If no tty is present, > the time stamp is considered to be invalid. > > * Visudo will now use the SUDO_EDITOR environment variable (if > present) in addition to VISUAL and EDITOR. > > What's new in Sudo 1.8.21p2 > > * Fixed a bug introduced in version 1.8.21 which prevented sudo > from using the PAM-supplied prompt. Bug #799 > > * Fixed a bug introduced in version 1.8.21 which could result in > sudo hanging when running commands that exit quickly. Bug #800 > > * Fixed a bug introduced in version 1.8.21 which prevented the > command from being run when the password was read via an external > program using the askpass interface. Bug #801 > > What's new in Sudo 1.8.21p1 > > * On systems that support both PAM and SIGINFO, the main sudo > process will no longer forward SIGINFO to the command if the > signal was generated from the keyboard. The command will have > already received SIGINFO since it is part of the same process > group so there's no need for sudo to forward it. This is > consistent with the handling of SIGINT, SIGQUIT and SIGTSTP. > Bug #796 > > * If SUDOERS_SEARCH_FILTER in ldap.conf does not specify a value, > the LDAP search expression used when looking up netgroups and > non-Unix groups had a syntax error if a group plugin was not > specified. > > * "sudo -U otheruser -l" will now have an exit value of 0 even > if "otheruser" has no sudo privileges. The exit value when a > user attempts to lists their own privileges or when a command > is specified is unchanged. > > * Fixed a regression introduced in sudo 1.8.21 where sudoreplay > playback would hang for I/O logs that contain terminal input. > > * Sudo 1.8.18 contained an incomplete fix for the matching of > entries in the LDAP and SSSD back-ends when a sudoRunAsGroup is > specified but no sudoRunAsUser is present in the sudoRole. > > What's new in Sudo 1.8.21 > > * The path that sudo uses to search for terminal devices can now > be configured via the new "devsearch" Path setting in sudo.conf. > > * It is now possible to preserve bash shell functions in the > environment when the "env_reset" sudoers setting is disabled by > removing the "*=()*" pattern from the env_delete list. > > * A change made in sudo 1.8.15 inadvertantly caused sudoedit to > send itself SIGHUP instead of exiting when the editor returns > an error or the file was not modified. > > * Sudoedit now uses an exit code of zero if the file was not > actually modified. Previously, sudoedit treated a lack of > modifications as an error. > > * When running a command in a pseudo-tty (pty), sudo now copies a > subset of the terminal flags to the new pty. Previously, all > flags were copied, even those not appropriate for a pty. > > * Fixed a problem with debug logging in the sudoers I/O logging > plugin. > > * Window size change events are now logged to the policy plugin. > On xterm and compatible terminals, sudoreplay is now capable of > resizing the terminal to match the size of the terminal the > command was run on. The new -R option can be used to disable > terminal resizing. > > * Fixed a bug in visudo where a newly added file was not checked > for syntax errors. Bug #791. > > * Fixed a bug in visudo where if a syntax error in an include > directory (like /etc/sudoers.d) was detected, the edited version > was left as a temporary file instead of being installed. > > * On PAM systems, sudo will now treat "username's Password:" as > a standard password prompt. As a result, the SUDO_PROMPT > environment variable will now override "username's Password:" > as well as the more common "Password:". Previously, the > "passprompt_override" Defaults setting would need to be set for > SUDO_PROMPT to override a prompt of "username's Password:". > > * A new "syslog_pid" sudoers setting has been added to include > sudo's process ID along with the process name when logging via > syslog. Bug #792. > > * Fixed a bug introduced in sudo 1.8.18 where a command would > not be terminated when the I/O logging plugin returned an error > to the sudo front-end. > > * A new "timestamp_type" sudoers setting has been added that replaces > the "tty_tickets" option. In addition to tty and global time stamp > records, it is now possible to use the parent process ID to restrict > the time stamp to commands run by the same process, usually the shell. > Bug #793. > > * The --preserve-env command line option has been extended to accept > a comma-separated list of environment variables to preserve. > Bug #279. > > * Friulian translation for sudo from translationproject.org. [1]: https://www.sudo.ws/repos/sudo/file/SUDO_1_8_22/NEWS
|
We will probably need to find a way, to remove the directory |
|
Why should we change the configuration for every tool using /var/run instead of keeping it as close to upstream as possible and let it follow the symlink? |
|
Am 19.02.2018 um 15:27 schrieb Donald Buczek:
Why should we change the configuration for every tool using /var/run
instead of keeping it as close to upstream as possible and let it
follow the symlink?
Well, it’s only three or four tools, and FHS 3.0 prefers `/run`.
|
|
Even fixed in upstream Sudo now. |
Sign in
to join this conversation on GitHub.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Tested on keineahnung.