Sync from SUSE:SLFO:Main sudo revision 2e0d34ac30e490d545a77a4287d63a75
This commit is contained in:
commit
6e4ce16597
23
.gitattributes
vendored
Normal file
23
.gitattributes
vendored
Normal file
@ -0,0 +1,23 @@
|
|||||||
|
## Default LFS
|
||||||
|
*.7z filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bsp filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.bz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gem filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.gz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.jar filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.lzma filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.obscpio filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.oxt filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.pdf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.png filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.rpm filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tbz2 filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.tgz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.ttf filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.txz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.whl filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.xz filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zip filter=lfs diff=lfs merge=lfs -text
|
||||||
|
*.zst filter=lfs diff=lfs merge=lfs -text
|
2
50-wheel-auth-self.conf
Normal file
2
50-wheel-auth-self.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
Defaults:%wheel !targetpw
|
||||||
|
%wheel ALL = (root) ALL
|
1
51-wheel.rules
Normal file
1
51-wheel.rules
Normal file
@ -0,0 +1 @@
|
|||||||
|
polkit._suse_admin_groups.push("wheel");
|
7
README.SUSE
Normal file
7
README.SUSE
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
In the default (ie unconfigured) configuration sudo asks for root password.
|
||||||
|
This allows to use an ordinary user account for administration of a freshly
|
||||||
|
installed system. When configuring sudo, please make sure to delete the two
|
||||||
|
following lines:
|
||||||
|
|
||||||
|
Defaults targetpw # ask for the password of the target user i.e. root
|
||||||
|
%users ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
19
README_313276.test
Normal file
19
README_313276.test
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
To verify that sudo works with SSSD,
|
||||||
|
there's has to be a working LDAP server where the sudoers file
|
||||||
|
will be saved, local running SSSD and sudo configured to use
|
||||||
|
the SSSD plugin.
|
||||||
|
|
||||||
|
The sudoers file has to be stored in LDAP.
|
||||||
|
A [sudo] service has to be configured in /etc/sssd/sssd.conf
|
||||||
|
Sudo needs to be instructed to use SSSD, this is done in /etc/nsswitch.conf,
|
||||||
|
by adding a line "sudoers: files sss"
|
||||||
|
|
||||||
|
Related material:
|
||||||
|
|
||||||
|
/usr/share/doc/packages/sudo/README.LDAP provides a guide how to
|
||||||
|
make sudo work with LDAP.
|
||||||
|
|
||||||
|
man sudoers.ldap(5) describes the LDAP-based sudoers file
|
||||||
|
|
||||||
|
man sssd-ldap(5) describes the LDAP sudo options.
|
||||||
|
|
14
fate_313276_test.sh
Normal file
14
fate_313276_test.sh
Normal file
@ -0,0 +1,14 @@
|
|||||||
|
#!/bin/sh
|
||||||
|
|
||||||
|
if [ $(id -u) -ne 0 ]; then
|
||||||
|
printf "Please run the test as root.\n"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
if sudo -V | grep -q -- --with-sssd; then
|
||||||
|
printf "OK: Sudo has support for SSSD compiled in.\n"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
printf "Error: SSSD support isn't compiled in.\n"
|
||||||
|
exit 1
|
BIN
sudo-1.9.15p5.tar.gz
(Stored with Git LFS)
Normal file
BIN
sudo-1.9.15p5.tar.gz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
sudo-1.9.15p5.tar.gz.sig
Normal file
BIN
sudo-1.9.15p5.tar.gz.sig
Normal file
Binary file not shown.
7
sudo-i.pamd
Normal file
7
sudo-i.pamd
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include common-auth
|
||||||
|
account include common-account
|
||||||
|
password include common-password
|
||||||
|
session optional pam_keyinit.so force revoke
|
||||||
|
session include common-session
|
||||||
|
# session optional pam_xauth.so
|
89
sudo-sudoers.patch
Normal file
89
sudo-sudoers.patch
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
Index: sudo-1.9.15p2/plugins/sudoers/sudoers.in
|
||||||
|
===================================================================
|
||||||
|
--- sudo-1.9.15p2.orig/plugins/sudoers/sudoers.in
|
||||||
|
+++ sudo-1.9.15p2/plugins/sudoers/sudoers.in
|
||||||
|
@@ -41,32 +41,23 @@
|
||||||
|
##
|
||||||
|
## Defaults specification
|
||||||
|
##
|
||||||
|
-## You may wish to keep some of the following environment variables
|
||||||
|
-## when running commands via sudo.
|
||||||
|
-##
|
||||||
|
-## Locale settings
|
||||||
|
-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
|
||||||
|
-##
|
||||||
|
-## Run X applications through sudo; HOME is used to find the
|
||||||
|
-## .Xauthority file. Note that other programs use HOME to find
|
||||||
|
-## configuration files and this may lead to privilege escalation!
|
||||||
|
-# Defaults env_keep += "HOME"
|
||||||
|
-##
|
||||||
|
-## X11 resource path settings
|
||||||
|
-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH"
|
||||||
|
-##
|
||||||
|
-## Desktop path settings
|
||||||
|
-# Defaults env_keep += "QTDIR KDEDIR"
|
||||||
|
-##
|
||||||
|
-## Allow sudo-run commands to inherit the callers' ConsoleKit session
|
||||||
|
-# Defaults env_keep += "XDG_SESSION_COOKIE"
|
||||||
|
-##
|
||||||
|
-## Uncomment to enable special input methods. Care should be taken as
|
||||||
|
-## this may allow users to subvert the command being run via sudo.
|
||||||
|
-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
||||||
|
-##
|
||||||
|
-## Uncomment to use a hard-coded PATH instead of the user's to find commands
|
||||||
|
-# Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
+## Prevent environment variables from influencing programs in an
|
||||||
|
+## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151)
|
||||||
|
+Defaults always_set_home
|
||||||
|
+Defaults env_reset
|
||||||
|
+## Change env_reset to !env_reset in previous line to keep all environment variables
|
||||||
|
+## Following list will no longer be necessary after this change
|
||||||
|
+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE"
|
||||||
|
+## Comment out the preceding line and uncomment the following one if you need
|
||||||
|
+## to use special input methods. This may allow users to compromise the root
|
||||||
|
+## account if they are allowed to run commands without authentication.
|
||||||
|
+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER"
|
||||||
|
+
|
||||||
|
+## Do not insult users when they enter an incorrect password.
|
||||||
|
+Defaults !insults
|
||||||
|
+
|
||||||
|
+## Use this PATH instead of the user's to find commands.
|
||||||
|
+Defaults secure_path="/usr/sbin:/usr/bin:/sbin:/bin"
|
||||||
|
##
|
||||||
|
## Uncomment to restore the historic behavior where a command is run in
|
||||||
|
## the user's own terminal.
|
||||||
|
@@ -81,7 +72,6 @@
|
||||||
|
## Set maxseq to a smaller number if you don't have unlimited disk space.
|
||||||
|
# Defaults log_output
|
||||||
|
# Defaults!/usr/bin/sudoreplay !log_output
|
||||||
|
-# Defaults!/usr/local/bin/sudoreplay !log_output
|
||||||
|
# Defaults!REBOOT !log_output
|
||||||
|
# Defaults maxseq = 1000
|
||||||
|
##
|
||||||
|
@@ -95,6 +85,12 @@
|
||||||
|
## slower by these options and also can clutter up the logs.
|
||||||
|
# Defaults!PKGMAN !intercept, !log_subcmds
|
||||||
|
|
||||||
|
+## In the default (unconfigured) configuration, sudo asks for the root password.
|
||||||
|
+## This allows use of an ordinary user account for administration of a freshly
|
||||||
|
+## installed system.
|
||||||
|
+Defaults targetpw # ask for the password of the target user i.e. root
|
||||||
|
+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'!
|
||||||
|
+
|
||||||
|
##
|
||||||
|
## Runas alias specification
|
||||||
|
##
|
||||||
|
@@ -110,13 +106,5 @@ root ALL=(ALL:ALL) ALL
|
||||||
|
## Same thing without a password
|
||||||
|
# %wheel ALL=(ALL:ALL) NOPASSWD: ALL
|
||||||
|
|
||||||
|
-## Uncomment to allow members of group sudo to execute any command
|
||||||
|
-# %sudo ALL=(ALL:ALL) ALL
|
||||||
|
-
|
||||||
|
-## Uncomment to allow any user to run sudo if they know the password
|
||||||
|
-## of the user they are running the command as (root by default).
|
||||||
|
-# Defaults targetpw # Ask for the password of the target user
|
||||||
|
-# ALL ALL=(ALL:ALL) ALL # WARNING: only use this together with 'Defaults targetpw'
|
||||||
|
-
|
||||||
|
## Read drop-in files from @sysconfdir@/sudoers.d
|
||||||
|
@includedir @sysconfdir@/sudoers.d
|
3910
sudo.changes
Normal file
3910
sudo.changes
Normal file
File diff suppressed because it is too large
Load Diff
79
sudo.keyring
Normal file
79
sudo.keyring
Normal file
@ -0,0 +1,79 @@
|
|||||||
|
pub 1024D/0x5A89DFA27EE470C4 2002-10-02
|
||||||
|
uid [ unknown] Todd C. Miller <Todd.Miller@courtesan.com>
|
||||||
|
sub 1024g/0x4ACA1697D017E72F 2002-10-02
|
||||||
|
|
||||||
|
pub 4096R/0xA9F4C021CEA470FB 2017-12-03
|
||||||
|
uid [ unknown] Todd C. Miller <Todd.Miller@sudo.ws>
|
||||||
|
sub 4096R/0x8BBF1A6CF4565623 2017-12-03
|
||||||
|
|
||||||
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
Version: GnuPG v2
|
||||||
|
|
||||||
|
mQGiBD2bdiURBACyoSsYq9t8jiLnhABRZcgDP2vaoJoGJD3eb9HNsv2+0IrcHaut
|
||||||
|
s1QR1AY88AGTMnQTFWjH1vIXz/YCKnvgqklfbVCMehvkOUKvGv2eP7IkmWvVPIQb
|
||||||
|
kayHCtChOKW86hqxZXyT8sbBJqHGHq7xBbg71uZ/CSaTY3ATencRX+UndwCg6ujz
|
||||||
|
FFQhKoVwnPdYPkYA10kp2UsD/2Act3O9UJabaln5MLqLQrxo1Cqa3+ht4liAAOr3
|
||||||
|
psMPcieyIULQ4yE19Jvb90s2sao88BUPVeDxBHV/nhcNQxlH4Boc+kWtU36XSxU3
|
||||||
|
yrUhZDQIvrM4o1yCSgNSwUM88+qYm6ETAT0sZAiFT9biMjsT4Bw13KihyYtE2L36
|
||||||
|
LdXOA/9MEH8zWRqUjQMt4X1yKTjwmIotAd9xetVNj+4lfTgmsnlZoex7T94Id0+B
|
||||||
|
FDDSj4gpQ7GpFa0qOQgTyaUo5HgoPFw4F9TjebWiyey2SznIw4960KoAwfSTdSOG
|
||||||
|
GoD96xuBsmQGCfdIFW43SJngXKiOpF/3VHoUxGYhTefOSGHAvLQqVG9kZCBDLiBN
|
||||||
|
aWxsZXIgPFRvZGQuTWlsbGVyQGNvdXJ0ZXNhbi5jb20+iFkEExECABkFAj2bdiUE
|
||||||
|
CwcDAgMVAgMDFgIBAh4BAheAAAoJEFqJ36J+5HDEQigAoLdD+y5EQzvogb6oybhC
|
||||||
|
pBBmefqYAKDGlnXX7JNBJYBv/r5TBg4+zLOOL7kBDQQ9m3YnEAQAzhN0fOfOz3+z
|
||||||
|
m0rHJ+hCW06ME9W1UWTgPdkh6izMO29j5tsq7MDOEoiBA8fGNV9+1nqXS3PWsYpP
|
||||||
|
qnm+Yx/8zHPsepiOWe3UaJruBfFT8BlGSzN6p9aO1liQOnv57XouRab5tUFZPDM7
|
||||||
|
ADHGAlruyvZjzywj/v6FWNoY6DLiqosAAwUEAKSap7csw/skFED0lF/lsllvmRa7
|
||||||
|
4kd/lEYGPB62Cyau/4nucrnZrBNP7wSIdpCLzQxq6l/j/vP5aUV8qN2W6+DY1CZA
|
||||||
|
rodtZKPUNGHCdop9ZcskEx6eOG2ivYpgn0z6scoXUJ4g5kCSshzPedG4DOLHFMtE
|
||||||
|
hVDWxnHdtn0UFCntiEYEGBECAAYFAj2bdicACgkQWonfon7kcMTOeACgmCPD1Is5
|
||||||
|
KhRmc+7kY4ILfdUX5OUAn2mdSBk/pObAfpdPzasJT7QxIQFLmQINBFokaiQBEADM
|
||||||
|
mTjkUBpTgLLiv85lz0UGmgVj39si2Gd3RC2/qz3UmHhS0qnL4x3LejZQOifaevT3
|
||||||
|
wIgOjU+YtyHleW2lZp0a/ndtFgXHeVJTQ12Ej5NbOHBFECWkWyXj1Rv/vBopI7Ox
|
||||||
|
ERjAjoUQLSu6nsksclYoO0pZywm+K17os1i5Qbi0djdYjHT5Asiqnef5g02a8DJz
|
||||||
|
QCq37VM046gFRhnp/unJoi4iexpjH/HL4tlRO7/3pDwV6MFVWDhNcrlP6AnmSzYb
|
||||||
|
Fv8Nt4MsbWU0oYa1TtRmuqxn5R/Lb9i4Uj793qZz3I/cDqv78kd3lRJ5TbjXR1D2
|
||||||
|
alhGVP6+0KWOKd5rpDSwYNojwKdVI6faJUOjRRSHGmZiNYFWp5UXDQUeFXmzEFWa
|
||||||
|
XgIXbmH0SqpVkKvwhH/sn0G3ryLXnPizjM3RSmoxSzpJNTHBFGPBLd9eJ724IvF5
|
||||||
|
Qigo8IdpPTZUv7EHmK2va97nH+AK7HDAPWTsOpM49CZXy1xz9N8Be3I8ayUgMO6a
|
||||||
|
VuAKpQFGEpuNGq+DCvyUOyVa5jeEf50wWHXBMPlVjdZK/46aNKmg9YyGDmZn1YIG
|
||||||
|
eAc6mhW0yM/+vvz9Wof5+RHHOBbVmAI7e7Mm7gR6xLZ0zty9FdPtEvxPnzzPIBjS
|
||||||
|
tPxvFr3j/9maW7iJNX1c/FTqXY+VAfUy7mpvrEZrGQARAQABtCRUb2RkIEMuIE1p
|
||||||
|
bGxlciA8VG9kZC5NaWxsZXJAc3Vkby53cz6JAk4EEwEIADgWIQRZ0enMuis3ZwT9
|
||||||
|
01up9MAhzqRw+wUCWiRqJAIbAwULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRCp
|
||||||
|
9MAhzqRw+5TmEACtyNWwMIfo/0okILNHryc61nA96XznSsQS9u5AaRN06l6dp+1i
|
||||||
|
x7FrSlXvCq1Oq7kajsF8Nnq9y2r7Os9ZsZSwGF1JGTt/qBT8N+Y+pEIe7igTSxv3
|
||||||
|
UJINuY2uQvR6y7GOmvMVHvLUAR48WXhS3w4UVlBfDx4UEuLFocurDsNgqYBEv3QY
|
||||||
|
ORUNCVMZlJg6/d8X3KpAK+Og3V13L8NjqZ546sRZub42FjJhxNh1mKLU+Q1Y+9Jm
|
||||||
|
B3EMBBOTY+OAnwQJiLcW3l1RdA8d2wTQ3+CnwywJrcUm3yKwMGgPxs8+ywol9B2G
|
||||||
|
5DtXYO82Flzfzb8kHQ6JRKBFVa3dz2NZt82VIIovfEl90zvBaEJVlNH/XH5qsVLY
|
||||||
|
LHB/NZUwxxz573HSMW4YCQgZZWaZ0byjb27KYd6S7Tj/DV5uQvVmGcRQ7sAcJoKV
|
||||||
|
G3XVlm+n5XnCWXddySOtt3XZbByIAyC5iu8LuLjCauO0sUX0L4yKnc0e4bqCglIm
|
||||||
|
JGZuuOL5tLYOL7Bd/RWj2uC+dpPaol6VAefGDUv8GqKa+Y28FRXKVvxcQwLYLm4D
|
||||||
|
A6hYV9f/0RjjPT/8VDk/dfytydhpaDnNu1nieAa5lx3/BPYPiuLgWg4DXpfW4IIG
|
||||||
|
IMaEULDOfN7xOELfbTnIru89aWc+kqdzfrMPhLwxClHg2JWrjuE+BPzMXrkCDQRa
|
||||||
|
JGokARAAxGZu+BKBt8rY8lF/7wQBfrqx2nlUTvdMlmUELT3e8Gw/z7+qArjYn+Xm
|
||||||
|
7TTh490KMaATKFnDol0vfvlMXre4hyCC1/+B2qjEKiUCvVhwmKQFNV3pmbugTlbd
|
||||||
|
EnHuf5sbzU32HWb2x2L4jMcrN97CQq6qx65S05uo7TS7DM7xPUCrGZKeXvlQVmJv
|
||||||
|
0gH3symIy2ZQoLtTYyMoaDfifKLHbQfR2WSxPy7cb6mjX1jMOD8dGGazLDGohCDp
|
||||||
|
Lhs4MbFTjwh1PBhFETBbAh5/ElNefpfT25w7RkPaMLiXmxTSQu/uugldjAsz5uQ8
|
||||||
|
D39TueoeFymBOUH76dM1VewNzHxZTp0GpnOfvhtleKg/870tNhLphf811g1HxeNM
|
||||||
|
+W9oU5kY/dcFo71SHwuVzMSGU3QOuJmLso3epFsMfs5mDML8UT+gXZgI2gfu0VPj
|
||||||
|
a4ashJ6Pd+OUpH7awFNLa7CoGILpBTIN1xxUCyzk1DNkscWYCgMUobdSEi/W59iC
|
||||||
|
PlrDW5tPCfIzTA06F6WhjFKoYaM9oqBM113J9j+t4FK7gkrao9ksF6eKaohNEiGJ
|
||||||
|
WRFJUwHf1jiHWafwZTAm1ZE9yuUksBbWrcEYdoak4CRcc1BaZWNd4PKn9IFoFSjb
|
||||||
|
e8WAGoRLcv0sNujmN+UiQ+LesIUw3QA0YWXsN9sijUxroC/ClZMAEQEAAYkCNgQY
|
||||||
|
AQgAIBYhBFnR6cy6KzdnBP3TW6n0wCHOpHD7BQJaJGokAhsMAAoJEKn0wCHOpHD7
|
||||||
|
ok0QAJSNCcZAUTmQRlhncToRg6lLqwgIDx/GLYq6F/WDYn6Me2QalyUskpFX12qm
|
||||||
|
JBlaMFHAus7bhbtyQBcEmPW9MY+HhItvRYXpKMbgEdxnMvD5uY+zDHiScRECH8gt
|
||||||
|
Zy8Uld0HiCy2aWgwt3LtVRuLu/wt5KsLq1s9zpEHQ0P9AHnz+EWFArCHCC8FatWE
|
||||||
|
47zZLDLOuMSLeS7HBSheloyTwezfdzbKnyD3JVwoTID0LP2Wo5FspqwYkIN93zRy
|
||||||
|
TrlC6lmPR+TMzMsAeAh2kHpoV03z6isTO59jIqj1Nrai8fhd4DyfnRBBjkoXJTPe
|
||||||
|
TM+MFa1gdU2B8VJfoqG7Ti780Tg83Z4/H9EEdD/pHzI8ay6xX5ABJhDnPHTPz3fK
|
||||||
|
PaxwrfOJGyCvAr8qbCVql1Dp8b3sTAlWbG/Cqz7q3NhF298o4A1EDu5IADWKOhek
|
||||||
|
djF/dutRHMCbvJKA0q4XiZu9YVYv7yysRPTicwvN9W5z7a5oIJLCXXtetNtoFZFo
|
||||||
|
UDDZjmaCA6pcbFX9FZ96b9jLNa/BKvtlCTsosJHxf9XNiSx5dW9wHuojr60wvLxV
|
||||||
|
K/N2anvjEfYuVxlfcKjOHpJuOX7xAcOAVAWnNvY/vSZCvAo2azMB5NOxu2Iz3pyq
|
||||||
|
ARpClI6b14giASYMfWkb2Bfx2Sc44SHXcm5MxiTt51tB8i+d
|
||||||
|
=bkRz
|
||||||
|
-----END PGP PUBLIC KEY BLOCK-----
|
7
sudo.pamd
Normal file
7
sudo.pamd
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
#%PAM-1.0
|
||||||
|
auth include common-auth
|
||||||
|
account include common-account
|
||||||
|
password include common-password
|
||||||
|
session optional pam_keyinit.so revoke
|
||||||
|
session include common-session-nonlogin
|
||||||
|
# session optional pam_xauth.so
|
341
sudo.spec
Normal file
341
sudo.spec
Normal file
@ -0,0 +1,341 @@
|
|||||||
|
#
|
||||||
|
# spec file for package sudo
|
||||||
|
#
|
||||||
|
# Copyright (c) 2024 SUSE LLC
|
||||||
|
#
|
||||||
|
# All modifications and additions to the file contributed by third parties
|
||||||
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
|
# upon. The license for this file, and modifications and additions to the
|
||||||
|
# file, is the same license as for the pristine package itself (unless the
|
||||||
|
# license for the pristine package is not an Open Source License, in which
|
||||||
|
# case the license is the MIT License). An "Open Source License" is a
|
||||||
|
# license that conforms to the Open Source Definition (Version 1.9)
|
||||||
|
# published by the Open Source Initiative.
|
||||||
|
|
||||||
|
# Please submit bugfixes or comments via https://bugs.opensuse.org/
|
||||||
|
#
|
||||||
|
|
||||||
|
|
||||||
|
%if %{defined _distconfdir} && 0%{?suse_version} >= 1600
|
||||||
|
%define confdir %{_distconfdir}
|
||||||
|
%define confmode 0444
|
||||||
|
%else
|
||||||
|
%define confdir %{_sysconfdir}
|
||||||
|
%define confmode 0440
|
||||||
|
%endif
|
||||||
|
|
||||||
|
Name: sudo
|
||||||
|
Version: 1.9.15p5
|
||||||
|
Release: 0
|
||||||
|
Summary: Execute some commands as root
|
||||||
|
License: ISC
|
||||||
|
Group: System/Base
|
||||||
|
URL: https://www.sudo.ws/
|
||||||
|
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
|
||||||
|
Source1: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz.sig
|
||||||
|
Source2: %{name}.keyring
|
||||||
|
Source3: sudo.pamd
|
||||||
|
Source4: sudo-i.pamd
|
||||||
|
Source5: README.SUSE
|
||||||
|
Source6: fate_313276_test.sh
|
||||||
|
Source7: README_313276.test
|
||||||
|
Source8: 50-wheel-auth-self.conf
|
||||||
|
Source9: 51-wheel.rules
|
||||||
|
Source10: system-group-sudo.conf
|
||||||
|
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
|
||||||
|
Patch0: sudo-sudoers.patch
|
||||||
|
BuildRequires: audit-devel
|
||||||
|
BuildRequires: cyrus-sasl-devel
|
||||||
|
BuildRequires: groff
|
||||||
|
BuildRequires: libopenssl-devel
|
||||||
|
BuildRequires: libselinux-devel
|
||||||
|
BuildRequires: openldap2-devel
|
||||||
|
BuildRequires: pam-devel
|
||||||
|
BuildRequires: python3-devel
|
||||||
|
BuildRequires: systemd-rpm-macros
|
||||||
|
BuildRequires: sysuser-tools
|
||||||
|
BuildRequires: zlib-devel
|
||||||
|
Requires(pre): coreutils
|
||||||
|
Requires(pre): permissions
|
||||||
|
Recommends: sudo-plugin-python
|
||||||
|
|
||||||
|
%description
|
||||||
|
Sudo is a command that allows users to execute some commands as root.
|
||||||
|
%if %{defined _distconfdir}
|
||||||
|
Sudo reads either %{_sysconfdir}/sudoers or %{_distconfdir}/sudoers
|
||||||
|
(in that order, whichever one it finds first), to determine what users have
|
||||||
|
%else
|
||||||
|
The %{_sysconfdir}/sudoers file specifies which users have
|
||||||
|
%endif
|
||||||
|
access to sudo and which commands they can run. Sudo logs all its
|
||||||
|
activities to syslogd, so the system administrator can keep an eye on
|
||||||
|
things. Sudo asks for the password to initialize a check period of a
|
||||||
|
given time N (where N is defined at installation and is set to 5
|
||||||
|
minutes by default). Administrators can edit the sudoers file with 'visudo'.
|
||||||
|
|
||||||
|
%package plugin-python
|
||||||
|
Summary: Plugin API for python
|
||||||
|
Group: System/Base
|
||||||
|
Requires: %{name} = %{version}
|
||||||
|
|
||||||
|
%description plugin-python
|
||||||
|
This package contains the sudo plugin which allows to write sudo plugins
|
||||||
|
in python. The API closely follows the C sudo plugin API described by
|
||||||
|
sudo_plugin(5).
|
||||||
|
|
||||||
|
%package devel
|
||||||
|
Summary: Header files needed for sudo plugin development
|
||||||
|
Group: Development/Libraries/C and C++
|
||||||
|
Requires: %{name} = %{version}
|
||||||
|
|
||||||
|
%description devel
|
||||||
|
These header files are needed for building of sudo plugins.
|
||||||
|
|
||||||
|
%package test
|
||||||
|
Summary: Tests for the package
|
||||||
|
Group: Development/Tools/Other
|
||||||
|
Requires: %{name} = %{version}
|
||||||
|
|
||||||
|
%description test
|
||||||
|
Tests for fate#313276
|
||||||
|
|
||||||
|
%package policy-wheel-auth-self
|
||||||
|
Summary: Users in the wheel group can authenticate as admin
|
||||||
|
Group: System/Base
|
||||||
|
Requires: %{name} = %{version}
|
||||||
|
Requires: group(wheel)
|
||||||
|
|
||||||
|
%description policy-wheel-auth-self
|
||||||
|
Sudo authentication policy that allows users in the wheel group to
|
||||||
|
authenticate as root with their own password
|
||||||
|
|
||||||
|
%package policy-sudo-auth-self
|
||||||
|
Summary: Users in the sudo group can authenticate as admin
|
||||||
|
Group: System/Base
|
||||||
|
Requires: %{name} = %{version}
|
||||||
|
Requires: group(sudo)
|
||||||
|
|
||||||
|
%description policy-sudo-auth-self
|
||||||
|
Sudo authentication policy that allows users in the sudo group to
|
||||||
|
authenticate as root with their own password
|
||||||
|
|
||||||
|
%package -n system-group-sudo
|
||||||
|
Summary: System group 'sudo'
|
||||||
|
Group: System/Fhs
|
||||||
|
%{sysusers_requires}
|
||||||
|
|
||||||
|
%description -n system-group-sudo
|
||||||
|
This package provides the system group 'sudo'.
|
||||||
|
|
||||||
|
%prep
|
||||||
|
%autosetup -p1
|
||||||
|
|
||||||
|
%build
|
||||||
|
%sysusers_generate_pre %{SOURCE10} sudo system-group-sudo.conf
|
||||||
|
%ifarch s390 s390x %{sparc}
|
||||||
|
F_PIE=-fPIE
|
||||||
|
%else
|
||||||
|
F_PIE=-fpie
|
||||||
|
%endif
|
||||||
|
export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED"
|
||||||
|
export LDFLAGS="-pie"
|
||||||
|
%configure \
|
||||||
|
--libexecdir=%{_libexecdir}/sudo \
|
||||||
|
--docdir=%{_docdir}/%{name} \
|
||||||
|
--with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
|
||||||
|
--enable-tmpfiles.d=%{_tmpfilesdir} \
|
||||||
|
%if %{defined _distconfdir}
|
||||||
|
--prefix=/usr \
|
||||||
|
--sysconfdir=%{_distconfdir} \
|
||||||
|
--enable-adminconf=%{_sysconfdir} \
|
||||||
|
%endif
|
||||||
|
--with-pam \
|
||||||
|
--with-pam-login \
|
||||||
|
--with-ldap \
|
||||||
|
--with-selinux \
|
||||||
|
--with-linux-audit \
|
||||||
|
--with-logfac=auth \
|
||||||
|
--with-all-insults \
|
||||||
|
--with-ignore-dot \
|
||||||
|
--with-tty-tickets \
|
||||||
|
--enable-shell-sets-home \
|
||||||
|
--enable-warnings \
|
||||||
|
--enable-python \
|
||||||
|
--enable-openssl \
|
||||||
|
--with-sendmail=%{_sbindir}/sendmail \
|
||||||
|
--with-sudoers-mode=0440 \
|
||||||
|
--with-env-editor \
|
||||||
|
--without-secure-path \
|
||||||
|
--with-passprompt="[sudo] password for %%p: " \
|
||||||
|
--with-rundir=%{_localstatedir}/lib/sudo \
|
||||||
|
--with-sssd
|
||||||
|
%if 0%{?sle_version} < 150000
|
||||||
|
# the SLES12 way
|
||||||
|
%make_build
|
||||||
|
%else
|
||||||
|
# -B required to make every build give the same result - maybe from bad build deps in Makefiles?
|
||||||
|
%make_build -B
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%install
|
||||||
|
%make_install install_uid=`id -u` install_gid=`id -g`
|
||||||
|
%if 0%{?suse_version} <= 1500
|
||||||
|
sed -i '/^session/s/common-session-nonlogin/common-session/g' %{SOURCE3}
|
||||||
|
%endif
|
||||||
|
%if %{defined _distconfdir}
|
||||||
|
install -d -m 755 %{buildroot}%{_pam_vendordir}
|
||||||
|
install -m 644 %{SOURCE3} %{buildroot}%{_pam_vendordir}/sudo
|
||||||
|
install -m 644 %{SOURCE4} %{buildroot}%{_pam_vendordir}/sudo-i
|
||||||
|
%else
|
||||||
|
install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d
|
||||||
|
install -m 644 %{SOURCE3} %{buildroot}%{_sysconfdir}/pam.d/sudo
|
||||||
|
install -m 644 %{SOURCE4} %{buildroot}%{_sysconfdir}/pam.d/sudo-i
|
||||||
|
%endif
|
||||||
|
rm -f %{buildroot}%{_bindir}/sudoedit
|
||||||
|
ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
|
||||||
|
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
|
||||||
|
install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
|
||||||
|
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
|
||||||
|
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
|
||||||
|
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
|
||||||
|
rm -f %{buildroot}%{confdir}/sudoers.dist
|
||||||
|
|
||||||
|
%if %{defined _distconfdir}
|
||||||
|
# Move /etc to /usr/etc/
|
||||||
|
mkdir -p %{buildroot}%{_distconfdir}/sudoers.d %{buildroot}%{_sysconfdir}/sudoers.d
|
||||||
|
chmod 644 %{buildroot}%{_distconfdir}/sudoers
|
||||||
|
echo "@includedir /etc/sudoers.d" >> %{buildroot}%{_distconfdir}/sudoers
|
||||||
|
%endif
|
||||||
|
|
||||||
|
install -D -m 644 %{SOURCE8} %{buildroot}%{confdir}/sudoers.d/50-wheel-auth-self
|
||||||
|
install -D -m 644 %{SOURCE9} %{buildroot}/usr/share/polkit-1/rules.d/51-wheel.rules
|
||||||
|
|
||||||
|
sed -e 's/wheel/sudo/g' < %{SOURCE8} > %{buildroot}%{confdir}/sudoers.d/50-sudo-auth-self
|
||||||
|
sed -e 's/wheel/sudo/g' < %{SOURCE9} > %{buildroot}/usr/share/polkit-1/rules.d/51-sudo.rules
|
||||||
|
|
||||||
|
install -D -m 644 %{SOURCE10} %{buildroot}%{_sysusersdir}/system-group-sudo.conf
|
||||||
|
|
||||||
|
%find_lang %{name}
|
||||||
|
%find_lang sudoers
|
||||||
|
cat sudoers.lang >> %{name}.lang
|
||||||
|
# tests
|
||||||
|
install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
|
||||||
|
install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
|
||||||
|
install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
|
||||||
|
|
||||||
|
install -d %{buildroot}%{_licensedir}/%{name}
|
||||||
|
rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md
|
||||||
|
|
||||||
|
%if %{defined _distconfdir}
|
||||||
|
%pre
|
||||||
|
# move outdated pam.d/*.rpmsave files away
|
||||||
|
for i in sudo sudo-i ; do
|
||||||
|
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||:
|
||||||
|
done
|
||||||
|
|
||||||
|
%posttrans
|
||||||
|
# Migration to /usr/etc.
|
||||||
|
for i in sudo sudo-i ; do
|
||||||
|
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
|
||||||
|
done
|
||||||
|
test -f %{_sysconfdir}/sudoers.rpmsave && mv -v %{_sysconfdir}/sudoers.rpmsave %{_sysconfdir}/sudoers ||:
|
||||||
|
%endif
|
||||||
|
|
||||||
|
%post
|
||||||
|
[ -e %{_sysconfdir}/sudoers ] && chmod 0440 %{_sysconfdir}/sudoers
|
||||||
|
%if 0%{?suse_version} <= 1130
|
||||||
|
%run_permissions
|
||||||
|
%else
|
||||||
|
%set_permissions %{_bindir}/sudo
|
||||||
|
%endif
|
||||||
|
%tmpfiles_create %{_tmpfilesdir}/sudo.conf
|
||||||
|
|
||||||
|
%verifyscript
|
||||||
|
%verify_permissions -e %{_bindir}/sudo
|
||||||
|
|
||||||
|
%pre -n system-group-sudo -f sudo.pre
|
||||||
|
|
||||||
|
%files -f %{name}.lang
|
||||||
|
%license LICENSE.md
|
||||||
|
%doc %{_docdir}/%{name}
|
||||||
|
%{_mandir}/man1/cvtsudoers.1%{?ext_man}
|
||||||
|
%{_mandir}/man5/sudoers.5%{?ext_man}
|
||||||
|
%{_mandir}/man5/sudo.conf.5%{?ext_man}
|
||||||
|
%{_mandir}/man5/sudoers.ldap.5%{?ext_man}
|
||||||
|
%{_mandir}/man5/sudoers_timestamp.5%{?ext_man}
|
||||||
|
%{_mandir}/man8/sudo.8%{?ext_man}
|
||||||
|
%{_mandir}/man8/sudoedit.8%{?ext_man}
|
||||||
|
%{_mandir}/man8/sudoreplay.8%{?ext_man}
|
||||||
|
%{_mandir}/man8/visudo.8%{?ext_man}
|
||||||
|
%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man}
|
||||||
|
%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man}
|
||||||
|
%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
|
||||||
|
%{_mandir}/man8/sudo_sendlog.8%{?ext_man}
|
||||||
|
|
||||||
|
%{!?_distconfdir:%config(noreplace)} %attr(%confmode,root,root) %{confdir}/sudoers
|
||||||
|
%attr(0750,root,root) %dir %{confdir}/sudoers.d
|
||||||
|
%{?_distconfdir:%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d}
|
||||||
|
%attr(0644,root,root) %config(noreplace) %{confdir}/sudo.conf
|
||||||
|
%attr(0644,root,root) %config(noreplace) %{confdir}/sudo_logsrvd.conf
|
||||||
|
|
||||||
|
%if %{defined _distconfdir}
|
||||||
|
%{_pam_vendordir}/sudo
|
||||||
|
%{_pam_vendordir}/sudo-i
|
||||||
|
%else
|
||||||
|
%config(noreplace) %{_sysconfdir}/pam.d/sudo
|
||||||
|
%config(noreplace) %{_sysconfdir}/pam.d/sudo-i
|
||||||
|
%endif
|
||||||
|
%attr(4755,root,root) %{_bindir}/sudo
|
||||||
|
%{_bindir}/sudoedit
|
||||||
|
%{_bindir}/sudoreplay
|
||||||
|
%{_bindir}/cvtsudoers
|
||||||
|
%{_sbindir}/visudo
|
||||||
|
%{_sbindir}/sudo_logsrvd
|
||||||
|
%{_sbindir}/sudo_sendlog
|
||||||
|
%dir %{_libexecdir}/%{name}
|
||||||
|
%{_libexecdir}/%{name}/sesh
|
||||||
|
%{_libexecdir}/%{name}/sudo_noexec.so
|
||||||
|
%dir %{_libexecdir}/%{name}/%{name}
|
||||||
|
%{_libexecdir}/%{name}/%{name}/sudoers.so
|
||||||
|
%{_libexecdir}/%{name}/%{name}/group_file.so
|
||||||
|
%{_libexecdir}/%{name}/%{name}/system_group.so
|
||||||
|
%{_libexecdir}/%{name}/%{name}/audit_json.so
|
||||||
|
%{_libexecdir}/%{name}/%{name}/sudo_intercept.so
|
||||||
|
%{_libexecdir}/%{name}/libsudo_util.so.*
|
||||||
|
%attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
|
||||||
|
%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts
|
||||||
|
%dir %{_tmpfilesdir}
|
||||||
|
%{_tmpfilesdir}/sudo.conf
|
||||||
|
|
||||||
|
%files plugin-python
|
||||||
|
%{_mandir}/man5/sudo_plugin_python.5%{?ext_man}
|
||||||
|
%{_libexecdir}/%{name}/%{name}/python_plugin.so
|
||||||
|
|
||||||
|
%files devel
|
||||||
|
%doc plugins/sample/sample_plugin.c
|
||||||
|
%{_includedir}/sudo_plugin.h
|
||||||
|
%{_mandir}/man5/sudo_plugin.5%{?ext_man}
|
||||||
|
%attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
|
||||||
|
%{_libexecdir}/%{name}/sudo/*.la
|
||||||
|
%{_libexecdir}/%{name}/*.la
|
||||||
|
|
||||||
|
%files test
|
||||||
|
%{_localstatedir}/lib/tests
|
||||||
|
|
||||||
|
%files policy-wheel-auth-self
|
||||||
|
%{confdir}/sudoers.d/50-wheel-auth-self
|
||||||
|
%dir /usr/share/polkit-1
|
||||||
|
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
|
||||||
|
/usr/share/polkit-1/rules.d/51-wheel.rules
|
||||||
|
|
||||||
|
%files policy-sudo-auth-self
|
||||||
|
%{confdir}/sudoers.d/50-sudo-auth-self
|
||||||
|
%dir /usr/share/polkit-1
|
||||||
|
%dir %attr(0555,root,root) /usr/share/polkit-1/rules.d
|
||||||
|
/usr/share/polkit-1/rules.d/51-sudo.rules
|
||||||
|
|
||||||
|
%files -n system-group-sudo
|
||||||
|
%defattr(-,root,root)
|
||||||
|
%{_sysusersdir}/system-group-sudo.conf
|
||||||
|
|
||||||
|
%changelog
|
2
system-group-sudo.conf
Normal file
2
system-group-sudo.conf
Normal file
@ -0,0 +1,2 @@
|
|||||||
|
# Type Name ID GECOS [HOME]
|
||||||
|
g sudo -
|
Loading…
Reference in New Issue
Block a user