File sudo-sudoers.patch of Package sudo

Index: sudo-1.9.17p1/plugins/sudoers/sudoers.in
===================================================================
--- sudo-1.9.17p1.orig/plugins/sudoers/sudoers.in
+++ sudo-1.9.17p1/plugins/sudoers/sudoers.in
@@ -50,29 +50,23 @@ Defaults!@visudo@ env_keep += "SUDO_EDIT
 ## arbitrary commands under sudo.
 @secure_path_config@Defaults secure_path="@secure_path@"
 ##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file.  Note that other programs use HOME to find   
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods.  Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
+## Following list will no longer be necessary after this change
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
+## Use this PATH instead of the user's to find commands.
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
 ##
 ## Uncomment to disable "use_pty" when running commands as root.
 ## Commands run as non-root users will run in a pseudo-terminal,
@@ -94,7 +88,6 @@ Defaults!@visudo@ env_keep += "SUDO_EDIT
 ## Set maxseq to a smaller number if you don't have unlimited disk space.
 # Defaults log_output
 # Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
 # Defaults!REBOOT !log_output
 # Defaults maxseq = 1000
 ##
@@ -112,6 +105,12 @@ Defaults!@visudo@ env_keep += "SUDO_EDIT
 ## modules such as pam_faillock will not be printed.
 # Defaults !pam_silent
 
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system.
+Defaults targetpw   # ask for the password of the target user i.e. root
+ALL   ALL=(ALL) ALL   # WARNING! Only use this together with 'Defaults targetpw'!
+
 ##
 ## Runas alias specification
 ##
@@ -127,13 +126,5 @@ root ALL=(ALL:ALL) ALL
 ## Same thing without a password
 # %wheel ALL=(ALL:ALL) NOPASSWD: ALL
 
-## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL:ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw  # Ask for the password of the target user
-# ALL ALL=(ALL:ALL) ALL  # WARNING: only use this together with 'Defaults targetpw'
-
 ## Read drop-in files from @sysconfdir@/sudoers.d
 @includedir @sysconfdir@/sudoers.d
openSUSE Build Service is sponsored by