Sync from SUSE:SLFO:Main sudo revision 2e0d34ac30e490d545a77a4287d63a75

This commit is contained in:
Adrian Schröter 2024-05-04 00:53:47 +02:00
commit 6e4ce16597
15 changed files with 4504 additions and 0 deletions

23
.gitattributes vendored Normal file
View File

@ -0,0 +1,23 @@
## Default LFS
*.7z filter=lfs diff=lfs merge=lfs -text
*.bsp filter=lfs diff=lfs merge=lfs -text
*.bz2 filter=lfs diff=lfs merge=lfs -text
*.gem filter=lfs diff=lfs merge=lfs -text
*.gz filter=lfs diff=lfs merge=lfs -text
*.jar filter=lfs diff=lfs merge=lfs -text
*.lz filter=lfs diff=lfs merge=lfs -text
*.lzma filter=lfs diff=lfs merge=lfs -text
*.obscpio filter=lfs diff=lfs merge=lfs -text
*.oxt filter=lfs diff=lfs merge=lfs -text
*.pdf filter=lfs diff=lfs merge=lfs -text
*.png filter=lfs diff=lfs merge=lfs -text
*.rpm filter=lfs diff=lfs merge=lfs -text
*.tbz filter=lfs diff=lfs merge=lfs -text
*.tbz2 filter=lfs diff=lfs merge=lfs -text
*.tgz filter=lfs diff=lfs merge=lfs -text
*.ttf filter=lfs diff=lfs merge=lfs -text
*.txz filter=lfs diff=lfs merge=lfs -text
*.whl filter=lfs diff=lfs merge=lfs -text
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text

2
50-wheel-auth-self.conf Normal file
View File

@ -0,0 +1,2 @@
Defaults:%wheel !targetpw
%wheel ALL = (root) ALL

1
51-wheel.rules Normal file
View File

@ -0,0 +1 @@
polkit._suse_admin_groups.push("wheel");

7
README.SUSE Normal file
View File

@ -0,0 +1,7 @@
In the default (ie unconfigured) configuration sudo asks for root password.
This allows to use an ordinary user account for administration of a freshly
installed system. When configuring sudo, please make sure to delete the two
following lines:
Defaults targetpw # ask for the password of the target user i.e. root
%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!

19
README_313276.test Normal file
View File

@ -0,0 +1,19 @@
To verify that sudo works with SSSD,
there's has to be a working LDAP server where the sudoers file
will be saved, local running SSSD and sudo configured to use
the SSSD plugin.
The sudoers file has to be stored in LDAP.
A [sudo] service has to be configured in /etc/sssd/sssd.conf
Sudo needs to be instructed to use SSSD, this is done in /etc/nsswitch.conf,
by adding a line "sudoers: files sss"
Related material:
/usr/share/doc/packages/sudo/README.LDAP provides a guide how to
make sudo work with LDAP.
man sudoers.ldap(5) describes the LDAP-based sudoers file
man sssd-ldap(5) describes the LDAP sudo options.

14
fate_313276_test.sh Normal file
View File

@ -0,0 +1,14 @@
#!/bin/sh
if [ $(id -u) -ne 0 ]; then
printf "Please run the test as root.\n"
exit 1
fi
if sudo -V | grep -q -- --with-sssd; then
printf "OK: Sudo has support for SSSD compiled in.\n"
exit 0
fi
printf "Error: SSSD support isn't compiled in.\n"
exit 1

BIN
sudo-1.9.15p5.tar.gz (Stored with Git LFS) Normal file

Binary file not shown.

BIN
sudo-1.9.15p5.tar.gz.sig Normal file

Binary file not shown.

7
sudo-i.pamd Normal file
View File

@ -0,0 +1,7 @@
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
# session optional pam_xauth.so

89
sudo-sudoers.patch Normal file
View File

@ -0,0 +1,89 @@
Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in
===================================================================
--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in
+++ sudo-1.9.15p2/plugins/sudoers/sudoers.in
@@ -41,32 +41,23 @@
##
## Defaults specification
##
-## You may wish to keep some of the following environment variables
-## when running commands via sudo.
-##
-## Locale settings
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
-##
-## Run X applications through sudo; HOME is used to find the
-## .Xauthority file. Note that other programs use HOME to find
-## configuration files and this may lead to privilege escalation!
-# Defaults env_keep += "HOME"
-##
-## X11 resource path settings
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
-##
-## Desktop path settings
-# Defaults env_keep += "QTDIR KDEDIR"
-##
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
-# Defaults env_keep += "XDG_SESSION_COOKIE"
-##
-## Uncomment to enable special input methods. Care should be taken as
-## this may allow users to subvert the command being run via sudo.
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
-##
-## Uncomment to use a hard-coded PATH instead of the user's to find commands
-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
+## Prevent environment variables from influencing programs in an
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
+Defaults always_set_home
+Defaults env_reset
+## Change env_reset to !env_reset in previous line to keep all environment variables
+## Following list will no longer be necessary after this change
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
+## Comment out the preceding line and uncomment the following one if you need
+## to use special input methods. This may allow users to compromise the root
+## account if they are allowed to run commands without authentication.
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
+
+## Do not insult users when they enter an incorrect password.
+Defaults !insults
+
+## Use this PATH instead of the user's to find commands.
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
##
## Uncomment to restore the historic behavior where a command is run in
## the user's own terminal.
@@ -81,7 +72,6 @@
## Set maxseq to a smaller number if you don't have unlimited disk space.
# Defaults log_output
# Defaults!/usr/bin/sudoreplay !log_output
-# Defaults!/usr/local/bin/sudoreplay !log_output
# Defaults!REBOOT !log_output
# Defaults maxseq = 1000
##
@@ -95,6 +85,12 @@
## slower by these options and also can clutter up the logs.
# Defaults!PKGMAN !intercept, !log_subcmds
+## In the default (unconfigured) configuration, sudo asks for the root password.
+## This allows use of an ordinary user account for administration of a freshly
+## installed system.
+Defaults targetpw # ask for the password of the target user i.e. root
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
+
##
## Runas alias specification
##
@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL
## Same thing without a password
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
-## Uncomment to allow members of group sudo to execute any command
-# %sudo ALL=(ALL:ALL) ALL
-
-## Uncomment to allow any user to run sudo if they know the password
-## of the user they are running the command as (root by default).
-# Defaults targetpw # Ask for the password of the target user
-# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
-
## Read drop-in files from @sysconfdir@/sudoers.d
@includedir @sysconfdir@/sudoers.d

3910
sudo.changes Normal file

File diff suppressed because it is too large Load Diff

79
sudo.keyring Normal file
View File

@ -0,0 +1,79 @@
pub 1024D/0x5A89DFA27EE470C4 2002-10-02
uid [ unknown] Todd C. Miller <Todd.Miller@courtesan.com>
sub 1024g/0x4ACA1697D017E72F 2002-10-02
pub 4096R/0xA9F4C021CEA470FB 2017-12-03
uid [ unknown] Todd C. Miller <Todd.Miller@sudo.ws>
sub 4096R/0x8BBF1A6CF4565623 2017-12-03
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2
mQGiBD2bdiURBACyoSsYq9t8jiLnhABRZcgDP2vaoJoGJD3eb9HNsv2+0IrcHaut
s1QR1AY88AGTMnQTFWjH1vIXz/YCKnvgqklfbVCMehvkOUKvGv2eP7IkmWvVPIQb
kayHCtChOKW86hqxZXyT8sbBJqHGHq7xBbg71uZ/CSaTY3ATencRX+UndwCg6ujz
FFQhKoVwnPdYPkYA10kp2UsD/2Act3O9UJabaln5MLqLQrxo1Cqa3+ht4liAAOr3
psMPcieyIULQ4yE19Jvb90s2sao88BUPVeDxBHV/nhcNQxlH4Boc+kWtU36XSxU3
yrUhZDQIvrM4o1yCSgNSwUM88+qYm6ETAT0sZAiFT9biMjsT4Bw13KihyYtE2L36
LdXOA/9MEH8zWRqUjQMt4X1yKTjwmIotAd9xetVNj+4lfTgmsnlZoex7T94Id0+B
FDDSj4gpQ7GpFa0qOQgTyaUo5HgoPFw4F9TjebWiyey2SznIw4960KoAwfSTdSOG
GoD96xuBsmQGCfdIFW43SJngXKiOpF/3VHoUxGYhTefOSGHAvLQqVG9kZCBDLiBN
aWxsZXIgPFRvZGQuTWlsbGVyQGNvdXJ0ZXNhbi5jb20+iFkEExECABkFAj2bdiUE
CwcDAgMVAgMDFgIBAh4BAheAAAoJEFqJ36J+5HDEQigAoLdD+y5EQzvogb6oybhC
pBBmefqYAKDGlnXX7JNBJYBv/r5TBg4+zLOOL7kBDQQ9m3YnEAQAzhN0fOfOz3+z
m0rHJ+hCW06ME9W1UWTgPdkh6izMO29j5tsq7MDOEoiBA8fGNV9+1nqXS3PWsYpP
qnm+Yx/8zHPsepiOWe3UaJruBfFT8BlGSzN6p9aO1liQOnv57XouRab5tUFZPDM7
ADHGAlruyvZjzywj/v6FWNoY6DLiqosAAwUEAKSap7csw/skFED0lF/lsllvmRa7
4kd/lEYGPB62Cyau/4nucrnZrBNP7wSIdpCLzQxq6l/j/vP5aUV8qN2W6+DY1CZA
rodtZKPUNGHCdop9ZcskEx6eOG2ivYpgn0z6scoXUJ4g5kCSshzPedG4DOLHFMtE
hVDWxnHdtn0UFCntiEYEGBECAAYFAj2bdicACgkQWonfon7kcMTOeACgmCPD1Is5
KhRmc+7kY4ILfdUX5OUAn2mdSBk/pObAfpdPzasJT7QxIQFLmQINBFokaiQBEADM
mTjkUBpTgLLiv85lz0UGmgVj39si2Gd3RC2/qz3UmHhS0qnL4x3LejZQOifaevT3
wIgOjU+YtyHleW2lZp0a/ndtFgXHeVJTQ12Ej5NbOHBFECWkWyXj1Rv/vBopI7Ox
ERjAjoUQLSu6nsksclYoO0pZywm+K17os1i5Qbi0djdYjHT5Asiqnef5g02a8DJz
QCq37VM046gFRhnp/unJoi4iexpjH/HL4tlRO7/3pDwV6MFVWDhNcrlP6AnmSzYb
Fv8Nt4MsbWU0oYa1TtRmuqxn5R/Lb9i4Uj793qZz3I/cDqv78kd3lRJ5TbjXR1D2
alhGVP6+0KWOKd5rpDSwYNojwKdVI6faJUOjRRSHGmZiNYFWp5UXDQUeFXmzEFWa
XgIXbmH0SqpVkKvwhH/sn0G3ryLXnPizjM3RSmoxSzpJNTHBFGPBLd9eJ724IvF5
Qigo8IdpPTZUv7EHmK2va97nH+AK7HDAPWTsOpM49CZXy1xz9N8Be3I8ayUgMO6a
VuAKpQFGEpuNGq+DCvyUOyVa5jeEf50wWHXBMPlVjdZK/46aNKmg9YyGDmZn1YIG
eAc6mhW0yM/+vvz9Wof5+RHHOBbVmAI7e7Mm7gR6xLZ0zty9FdPtEvxPnzzPIBjS
tPxvFr3j/9maW7iJNX1c/FTqXY+VAfUy7mpvrEZrGQARAQABtCRUb2RkIEMuIE1p
bGxlciA8VG9kZC5NaWxsZXJAc3Vkby53cz6JAk4EEwEIADgWIQRZ0enMuis3ZwT9
01up9MAhzqRw+wUCWiRqJAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCp
9MAhzqRw+5TmEACtyNWwMIfo/0okILNHryc61nA96XznSsQS9u5AaRN06l6dp+1i
x7FrSlXvCq1Oq7kajsF8Nnq9y2r7Os9ZsZSwGF1JGTt/qBT8N+Y+pEIe7igTSxv3
UJINuY2uQvR6y7GOmvMVHvLUAR48WXhS3w4UVlBfDx4UEuLFocurDsNgqYBEv3QY
ORUNCVMZlJg6/d8X3KpAK+Og3V13L8NjqZ546sRZub42FjJhxNh1mKLU+Q1Y+9Jm
B3EMBBOTY+OAnwQJiLcW3l1RdA8d2wTQ3+CnwywJrcUm3yKwMGgPxs8+ywol9B2G
5DtXYO82Flzfzb8kHQ6JRKBFVa3dz2NZt82VIIovfEl90zvBaEJVlNH/XH5qsVLY
LHB/NZUwxxz573HSMW4YCQgZZWaZ0byjb27KYd6S7Tj/DV5uQvVmGcRQ7sAcJoKV
G3XVlm+n5XnCWXddySOtt3XZbByIAyC5iu8LuLjCauO0sUX0L4yKnc0e4bqCglIm
JGZuuOL5tLYOL7Bd/RWj2uC+dpPaol6VAefGDUv8GqKa+Y28FRXKVvxcQwLYLm4D
A6hYV9f/0RjjPT/8VDk/dfytydhpaDnNu1nieAa5lx3/BPYPiuLgWg4DXpfW4IIG
IMaEULDOfN7xOELfbTnIru89aWc+kqdzfrMPhLwxClHg2JWrjuE+BPzMXrkCDQRa
JGokARAAxGZu+BKBt8rY8lF/7wQBfrqx2nlUTvdMlmUELT3e8Gw/z7+qArjYn+Xm
7TTh490KMaATKFnDol0vfvlMXre4hyCC1/+B2qjEKiUCvVhwmKQFNV3pmbugTlbd
EnHuf5sbzU32HWb2x2L4jMcrN97CQq6qx65S05uo7TS7DM7xPUCrGZKeXvlQVmJv
0gH3symIy2ZQoLtTYyMoaDfifKLHbQfR2WSxPy7cb6mjX1jMOD8dGGazLDGohCDp
Lhs4MbFTjwh1PBhFETBbAh5/ElNefpfT25w7RkPaMLiXmxTSQu/uugldjAsz5uQ8
D39TueoeFymBOUH76dM1VewNzHxZTp0GpnOfvhtleKg/870tNhLphf811g1HxeNM
+W9oU5kY/dcFo71SHwuVzMSGU3QOuJmLso3epFsMfs5mDML8UT+gXZgI2gfu0VPj
a4ashJ6Pd+OUpH7awFNLa7CoGILpBTIN1xxUCyzk1DNkscWYCgMUobdSEi/W59iC
PlrDW5tPCfIzTA06F6WhjFKoYaM9oqBM113J9j+t4FK7gkrao9ksF6eKaohNEiGJ
WRFJUwHf1jiHWafwZTAm1ZE9yuUksBbWrcEYdoak4CRcc1BaZWNd4PKn9IFoFSjb
e8WAGoRLcv0sNujmN+UiQ+LesIUw3QA0YWXsN9sijUxroC/ClZMAEQEAAYkCNgQY
AQgAIBYhBFnR6cy6KzdnBP3TW6n0wCHOpHD7BQJaJGokAhsMAAoJEKn0wCHOpHD7
ok0QAJSNCcZAUTmQRlhncToRg6lLqwgIDx/GLYq6F/WDYn6Me2QalyUskpFX12qm
JBlaMFHAus7bhbtyQBcEmPW9MY+HhItvRYXpKMbgEdxnMvD5uY+zDHiScRECH8gt
Zy8Uld0HiCy2aWgwt3LtVRuLu/wt5KsLq1s9zpEHQ0P9AHnz+EWFArCHCC8FatWE
47zZLDLOuMSLeS7HBSheloyTwezfdzbKnyD3JVwoTID0LP2Wo5FspqwYkIN93zRy
TrlC6lmPR+TMzMsAeAh2kHpoV03z6isTO59jIqj1Nrai8fhd4DyfnRBBjkoXJTPe
TM+MFa1gdU2B8VJfoqG7Ti780Tg83Z4/H9EEdD/pHzI8ay6xX5ABJhDnPHTPz3fK
PaxwrfOJGyCvAr8qbCVql1Dp8b3sTAlWbG/Cqz7q3NhF298o4A1EDu5IADWKOhek
djF/dutRHMCbvJKA0q4XiZu9YVYv7yysRPTicwvN9W5z7a5oIJLCXXtetNtoFZFo
UDDZjmaCA6pcbFX9FZ96b9jLNa/BKvtlCTsosJHxf9XNiSx5dW9wHuojr60wvLxV
K/N2anvjEfYuVxlfcKjOHpJuOX7xAcOAVAWnNvY/vSZCvAo2azMB5NOxu2Iz3pyq
ARpClI6b14giASYMfWkb2Bfx2Sc44SHXcm5MxiTt51tB8i+d
=bkRz
-----END PGP PUBLIC KEY BLOCK-----

7
sudo.pamd Normal file
View File

@ -0,0 +1,7 @@
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session optional pam_keyinit.so revoke
session include common-session-nonlogin
# session optional pam_xauth.so

341
sudo.spec Normal file
View File

@ -0,0 +1,341 @@
#
# spec file for package sudo
#
# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if %{defined _distconfdir} && 0%{?suse_version} >= 1600
%define confdir %{_distconfdir}
%define confmode 0444
%else
%define confdir %{_sysconfdir}
%define confmode 0440
%endif
Name: sudo
Version: 1.9.15p5
Release: 0
Summary: Execute some commands as root
License: ISC
Group: System/Base
URL: https://www.sudo.ws/
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz.sig
Source2: %{name}.keyring
Source3: sudo.pamd
Source4: sudo-i.pamd
Source5: README.SUSE
Source6: fate_313276_test.sh
Source7: README_313276.test
Source8: 50-wheel-auth-self.conf
Source9: 51-wheel.rules
Source10: system-group-sudo.conf
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch0: sudo-sudoers.patch
BuildRequires: audit-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: groff
BuildRequires: libopenssl-devel
BuildRequires: libselinux-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: python3-devel
BuildRequires: systemd-rpm-macros
BuildRequires: sysuser-tools
BuildRequires: zlib-devel
Requires(pre): coreutils
Requires(pre): permissions
Recommends: sudo-plugin-python
%description
Sudo is a command that allows users to execute some commands as root.
%if %{defined _distconfdir}
Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers
(in that order, whichever one it finds first), to determine what users have
%else
The %{_sysconfdir}/sudoers file specifies which users have
%endif
access to sudo and which commands they can run. Sudo logs all its
activities to syslogd, so the system administrator can keep an eye on
things. Sudo asks for the password to initialize a check period of a
given time N (where N is defined at installation and is set to 5
minutes by default). Administrators can edit the sudoers file with 'visudo'.
%package plugin-python
Summary: Plugin API for python
Group: System/Base
Requires: %{name} = %{version}
%description plugin-python
This package contains the sudo plugin which allows to write sudo plugins
in python. The API closely follows the C sudo plugin API described by
sudo_plugin(5).
%package devel
Summary: Header files needed for sudo plugin development
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}
%description devel
These header files are needed for building of sudo plugins.
%package test
Summary: Tests for the package
Group: Development/Tools/Other
Requires: %{name} = %{version}
%description test
Tests for fate#313276
%package policy-wheel-auth-self
Summary: Users in the wheel group can authenticate as admin
Group: System/Base
Requires: %{name} = %{version}
Requires: group(wheel)
%description policy-wheel-auth-self
Sudo authentication policy that allows users in the wheel group to
authenticate as root with their own password
%package policy-sudo-auth-self
Summary: Users in the sudo group can authenticate as admin
Group: System/Base
Requires: %{name} = %{version}
Requires: group(sudo)
%description policy-sudo-auth-self
Sudo authentication policy that allows users in the sudo group to
authenticate as root with their own password
%package -n system-group-sudo
Summary: System group 'sudo'
Group: System/Fhs
%{sysusers_requires}
%description -n system-group-sudo
This package provides the system group 'sudo'.
%prep
%autosetup -p1
%build
%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf
%ifarch s390 s390x %{sparc}
F_PIE=-fPIE
%else
F_PIE=-fpie
%endif
export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED"
export LDFLAGS="-pie"
%configure \
--libexecdir=%{_libexecdir}/sudo \
--docdir=%{_docdir}/%{name} \
--with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
--enable-tmpfiles.d=%{_tmpfilesdir} \
%if %{defined _distconfdir}
--prefix=/usr \
--sysconfdir=%{_distconfdir} \
--enable-adminconf=%{_sysconfdir} \
%endif
--with-pam \
--with-pam-login \
--with-ldap \
--with-selinux \
--with-linux-audit \
--with-logfac=auth \
--with-all-insults \
--with-ignore-dot \
--with-tty-tickets \
--enable-shell-sets-home \
--enable-warnings \
--enable-python \
--enable-openssl \
--with-sendmail=%{_sbindir}/sendmail \
--with-sudoers-mode=0440 \
--with-env-editor \
--without-secure-path \
--with-passprompt="[sudo] password for %%p: " \
--with-rundir=%{_localstatedir}/lib/sudo \
--with-sssd
%if 0%{?sle_version} < 150000
# the SLES12 way
%make_build
%else
# -B required to make every build give the same result - maybe from bad build deps in Makefiles?
%make_build -B
%endif
%install
%make_install install_uid=`id -u` install_gid=`id -g`
%if 0%{?suse_version} <= 1500
sed -i '/^session/s/common-session-nonlogin/common-session/g' %{SOURCE3}
%endif
%if %{defined _distconfdir}
install -d -m 755 %{buildroot}%{_pam_vendordir}
install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/sudo
install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/sudo-i
%else
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/sudo
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/sudo-i
%endif
rm -f %{buildroot}%{_bindir}/sudoedit
ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
rm -f %{buildroot}%{confdir}/sudoers.dist
%if %{defined _distconfdir}
# Move /etc to /usr/etc/
mkdir -p %{buildroot}%{_distconfdir}/sudoers.d %{buildroot}%{_sysconfdir}/sudoers.d
chmod 644 %{buildroot}%{_distconfdir}/sudoers
echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers
%endif
install -D -m 644 %{SOURCE8} %{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self
install -D -m 644 %{SOURCE9} %{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules
sed -e 's/wheel/sudo/g' < %{SOURCE8} > %{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self
sed -e 's/wheel/sudo/g' < %{SOURCE9} > %{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules
install -D -m 644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-group-sudo.conf
%find_lang %{name}
%find_lang sudoers
cat sudoers.lang >> %{name}.lang
# tests
install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -d %{buildroot}%{_licensedir}/%{name}
rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md
%if %{defined _distconfdir}
%pre
# move outdated pam.d/*.rpmsave files away
for i in sudo sudo-i ; do
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||:
done
%posttrans
# Migration to /usr/etc.
for i in sudo sudo-i ; do
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
done
test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave %{_sysconfdir}/sudoers ||:
%endif
%post
[ -e %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers
%if 0%{?suse_version} <= 1130
%run_permissions
%else
%set_permissions %{_bindir}/sudo
%endif
%tmpfiles_create %{_tmpfilesdir}/sudo.conf
%verifyscript
%verify_permissions -e %{_bindir}/sudo
%pre -n system-group-sudo -f sudo.pre
%files -f %{name}.lang
%license LICENSE.md
%doc %{_docdir}/%{name}
%{_mandir}/man1/cvtsudoers.1%{?ext_man}
%{_mandir}/man5/sudoers.5%{?ext_man}
%{_mandir}/man5/sudo.conf.5%{?ext_man}
%{_mandir}/man5/sudoers.ldap.5%{?ext_man}
%{_mandir}/man5/sudoers_timestamp.5%{?ext_man}
%{_mandir}/man8/sudo.8%{?ext_man}
%{_mandir}/man8/sudoedit.8%{?ext_man}
%{_mandir}/man8/sudoreplay.8%{?ext_man}
%{_mandir}/man8/visudo.8%{?ext_man}
%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man}
%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man}
%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
%{_mandir}/man8/sudo_sendlog.8%{?ext_man}
%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) %{confdir}/sudoers
%attr(0750,root,root) %dir %{confdir}/sudoers.d
%{?_distconfdir:%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d}
%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf
%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf
%if %{defined _distconfdir}
%{_pam_vendordir}/sudo
%{_pam_vendordir}/sudo-i
%else
%config(noreplace) %{_sysconfdir}/pam.d/sudo
%config(noreplace) %{_sysconfdir}/pam.d/sudo-i
%endif
%attr(4755,root,root) %{_bindir}/sudo
%{_bindir}/sudoedit
%{_bindir}/sudoreplay
%{_bindir}/cvtsudoers
%{_sbindir}/visudo
%{_sbindir}/sudo_logsrvd
%{_sbindir}/sudo_sendlog
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/sesh
%{_libexecdir}/%{name}/sudo_noexec.so
%dir %{_libexecdir}/%{name}/%{name}
%{_libexecdir}/%{name}/%{name}/sudoers.so
%{_libexecdir}/%{name}/%{name}/group_file.so
%{_libexecdir}/%{name}/%{name}/system_group.so
%{_libexecdir}/%{name}/%{name}/audit_json.so
%{_libexecdir}/%{name}/%{name}/sudo_intercept.so
%{_libexecdir}/%{name}/libsudo_util.so.*
%attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts
%dir %{_tmpfilesdir}
%{_tmpfilesdir}/sudo.conf
%files plugin-python
%{_mandir}/man5/sudo_plugin_python.5%{?ext_man}
%{_libexecdir}/%{name}/%{name}/python_plugin.so
%files devel
%doc plugins/sample/sample_plugin.c
%{_includedir}/sudo_plugin.h
%{_mandir}/man5/sudo_plugin.5%{?ext_man}
%attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
%{_libexecdir}/%{name}/sudo/*.la
%{_libexecdir}/%{name}/*.la
%files test
%{_localstatedir}/lib/tests
%files policy-wheel-auth-self
%{confdir}/sudoers.d/50-wheel-auth-self
%dir /usr/share/polkit-1
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
/usr/share/polkit-1/rules.d/51-wheel.rules
%files policy-sudo-auth-self
%{confdir}/sudoers.d/50-sudo-auth-self
%dir /usr/share/polkit-1
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
/usr/share/polkit-1/rules.d/51-sudo.rules
%files -n system-group-sudo
%defattr(-,root,root)
%{_sysusersdir}/system-group-sudo.conf
%changelog

2
system-group-sudo.conf Normal file
View File

@ -0,0 +1,2 @@
# Type Name ID GECOS [HOME]
g sudo -