pool/sudo
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
8f8097e0ab
sudo/sudo.spec
Kristyna Streitova c1da9ded70 Accepting request 950728 from home:simotek:branches:Base:System 
- Update to 1.9.9
   * Sudo can now be built with OpenSSL 3.0 without generating
     warnings about deprecated OpenSSL APIs.
   * A digest can now be specified along with the ALL command in
     the LDAP and SSSD back-ends. Sudo 1.9.0 introduced support for
     this in the sudoers file but did not include corresponding
     changes for the other back-ends.
   * visudo now only warns about an undefined alias or a cycle in
     an alias once for each alias.
   * The sudoRole cn was truncated by a single character in warning
     messages. GitHub issue #115.
   * The cvtsudoers utility has new --group-file and --passwd-file
     options to use a custom passwd or group file when the
     --match-local option is also used.
   * The cvtsudoers utility can now filter or match based on a command.
   * The cvtsudoers utility can now produce output in csv
     (comma-separated value) format. This can be used to help generate
     entitlement reports.
   * Fixed a bug in sudo_logsrvd that could result in the connection
     being dropped for very long command lines.
   * Fixed a bug where sudo_logsrvd would not accept a restore point
     of zero.
   * Fixed a bug in visudo where the value of the editor setting was
     not used if it did not match the user’s EDITOR environment
     variable. This was only a problem if the env_editor setting was
     not enabled. Bug #1000.
   * Sudo now builds with the -fcf-protection compiler option and the
     -z now linker option if supported.
   * The output of sudoreplay -l now more closely matches the
     traditional sudo log format.
   * The sudo_sendlog utility will now use the full contents of the
     log.json file, if present. This makes it possible to send
     sudo-format I/O logs that use the newer log.json format to
     sudo_logsrvd without losing any information.
   * Fixed compilation of the arc4random_buf() replacement on systems
     with arc4random() but no arc4random_buf(). Bug #1008.
   * Sudo now uses its own getentropy() by default on Linux. The GNU
     libc version of getentropy() will fail on older kernels that
     don’t support the getrandom() system call.
   * It is now possible to build sudo with WolfSSL’s OpenSSL
     compatibility layer by using the --enable-wolfssl configure
     option.
   * Fixed a bug related to Daylight Saving Time when parsing
     timestamps in Generalized Time format. This affected the NOTBEFORE
     and NOTAFTER options in sudoers. Bug #1006.
   * Added the -O and -P options to visudo, which can be used to check
     or set the owner and permissions. This can be used in conjunction
     with the -c option to check that the sudoers file ownership and
     permissions are correct. Bug #1007.
   * It is now possible to set resource limits in the sudoers file
     itself. The special values default and “user” refer to the
     default system limit and invoking user limit respectively. The
     core dump size limit is now set to 0 by default unless overridden
     by the sudoers file.
   * The cvtsudoers utility can now merge multiple sudoers sources into
     a single, combined sudoers file. If there are conflicting entries,
     cvtsudoers will attempt to resolve them but manual intervention
     may be required. The merging of sudoers rules is currently fairly
     simplistic but will be improved in a future release.
   * Sudo was parsing but not applying the “deref” and “tls_reqcert”
     ldap.conf settings. This meant the options were effectively ignored
     which broke dereferencing of aliases in LDAP. Bug #1013.
   * Clarified in the sudo man page that the security policy may
     override the user’s PATH environment variable. Bug #1014.
   * When sudo is run in non-interactive mode (with the -n option), it
     will now attempt PAM authentication and only exit with an error if
     user interaction is required. This allows PAM modules that don’t
     interact with the user to succeed. Previously, sudo would not
     attempt authentication if the -n option was specified. Bug #956
     and GitHub issue #83.
   * Fixed a regression introduced in version 1.9.1 when sudo is built
     with the --with-fqdn configure option. The local host name was
     being resolved before the sudoers file was processed, making it
     impossible to disable DNS lookups by negating the fqdn sudoers
     option. Bug #1016.
   * Added support for negated sudoUser attributes in the LDAP and SSSD
     sudoers back ends. A matching sudoUser that is negated will cause
     the sudoRole containing it to be ignored.
   * Fixed a bug where the stack resource limit could be set to a value
     smaller than that of the invoking user and not be reset before the
     command was run. Bug #1016.
- sudo no longer ships schema for LDAP.
- sudo-feature-negated-LDAP-users.patch dropped, included upstream
- refreshed sudo-sudoers.patch

OBS-URL: https://build.opensuse.org/request/show/950728
OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=207
2022-02-02 12:27:10 +00:00

253 lines
8.0 KiB
RPMSpec
Raw Blame History

#
# spec file for package sudo
#
# Copyright (c) 2022 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if ! %{defined _distconfdir}
%define _distconfdir %{_sysconfdir}
%else
%define use_usretc 1
%endif
Name: sudo
Version: 1.9.9
Release: 0
Summary: Execute some commands as root
License: ISC
Group: System/Base
URL: https://www.sudo.ws/
Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz.sig
Source2: %{name}.keyring
Source3: sudo.pamd
Source4: sudo-i.pamd
Source5: README.SUSE
Source6: fate_313276_test.sh
Source7: README_313276.test
# PATCH-OPENSUSE: the "SUSE" branding of the default sudo config
Patch0: sudo-sudoers.patch
BuildRequires: audit-devel
BuildRequires: cyrus-sasl-devel
BuildRequires: groff
BuildRequires: libopenssl-devel
BuildRequires: libselinux-devel
BuildRequires: openldap2-devel
BuildRequires: pam-devel
BuildRequires: python3-devel
BuildRequires: systemd-rpm-macros
BuildRequires: zlib-devel
Requires(pre): coreutils
Requires(pre): permissions
Recommends: sudo-plugin-python
%description
Sudo is a command that allows users to execute some commands as root.
The %{_sysconfdir}/sudoers file (edited with 'visudo') specifies which users have
access to sudo and which commands they can run. Sudo logs all its
activities to syslogd, so the system administrator can keep an eye on
things. Sudo asks for the password for initializing a check period of a
given time N (where N is defined at installation and is set to 5
minutes by default).
%package plugin-python
Summary: Plugin API for python
Group: System/Base
Requires: %{name} = %{version}
%description plugin-python
This package contains the sudo plugin which allows to write sudo plugins
in python. The API closely follows the C sudo plugin API described by
sudo_plugin(5).
%package devel
Summary: Header files needed for sudo plugin development
Group: Development/Libraries/C and C++
Requires: %{name} = %{version}
%description devel
These header files are needed for building of sudo plugins.
%package test
Summary: Tests for the package
Group: Development/Tools/Other
Requires: %{name} = %{version}
%description test
Tests for fate#313276
%prep
%autosetup -p1
%build
%ifarch s390 s390x %{sparc}
F_PIE=-fPIE
%else
F_PIE=-fpie
%endif
export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED"
export LDFLAGS="-pie"
%configure \
--libexecdir=%{_libexecdir}/sudo \
--docdir=%{_docdir}/%{name} \
--with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \
--enable-tmpfiles.d=%{_tmpfilesdir} \
--with-pam \
--with-pam-login \
--with-ldap \
--with-selinux \
--with-linux-audit \
--with-logfac=auth \
--with-all-insults \
--with-ignore-dot \
--with-tty-tickets \
--enable-shell-sets-home \
--enable-warnings \
--enable-python \
--enable-openssl \
--with-sendmail=%{_sbindir}/sendmail \
--with-sudoers-mode=0440 \
--with-env-editor \
--without-secure-path \
--with-passprompt="[sudo] password for %%p: " \
--with-rundir=%{_localstatedir}/lib/sudo \
--with-sssd
%if 0%{?sle_version} < 150000
# the SLES12 way
make %{?_smp_mflags} V=1
%else
# -B required to make every build give the same result - maybe from bad build deps in Makefiles?
%make_build -B
%endif
%install
%make_install install_uid=`id -u` install_gid=`id -g`
install -d -m 755 %{buildroot}%{_distconfdir}/pam.d
install -m 644 %{SOURCE3} %{buildroot}%{_distconfdir}/pam.d/sudo
install -m 644 %{SOURCE4} %{buildroot}%{_distconfdir}/pam.d/sudo-i
rm -f %{buildroot}%{_bindir}/sudoedit
ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit
install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema
install -m 644 %{SOURCE5} %{buildroot}%{_docdir}/%{name}/
rm -f %{buildroot}%{_docdir}/%{name}/sample.pam
rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf
rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP
rm -f %{buildroot}%{_sysconfdir}/sudoers.dist
%find_lang %{name}
%find_lang sudoers
cat sudoers.lang >> %{name}.lang
# tests
install -d -m 755 %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE6} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -m 755 %{SOURCE7} %{buildroot}%{_localstatedir}/lib/tests/sudo
install -d %{buildroot}%{_licensedir}/%{name}
install -m 644 %{buildroot}%{_docdir}/%{name}/LICENSE.md %{buildroot}%{_licensedir}/%{name}/LICENSE.md
rm -fv %{buildroot}%{_docdir}/%{name}/LICENSE.md
%if %{defined use_usretc}
%pre
# move outdated pam.d/*.rpmsave files away
for i in sudo sudo-i ; do
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i}.rpmsave.old ||:
done
%posttrans
# Migration to /usr/etc.
for i in sudo sudo-i ; do
test -f %{_sysconfdir}/pam.d/${i}.rpmsave && mv -v %{_sysconfdir}/pam.d/${i}.rpmsave %{_sysconfdir}/pam.d/${i} ||:
done
%endif
%post
chmod 0440 %{_sysconfdir}/sudoers
%if 0%{?suse_version} <= 1130
%run_permissions
%else
%set_permissions %{_bindir}/sudo
%endif
%tmpfiles_create %{_tmpfilesdir}/sudo.conf
%verifyscript
%verify_permissions -e %{_bindir}/sudo
%files -f %{name}.lang
%license doc/LICENSE.md
%doc %{_docdir}/%{name}
%{_mandir}/man1/cvtsudoers.1%{?ext_man}
%{_mandir}/man5/sudoers.5%{?ext_man}
%{_mandir}/man5/sudo.conf.5%{?ext_man}
%{_mandir}/man5/sudoers.ldap.5%{?ext_man}
%{_mandir}/man5/sudoers_timestamp.5%{?ext_man}
%{_mandir}/man8/sudo.8%{?ext_man}
%{_mandir}/man8/sudoedit.8%{?ext_man}
%{_mandir}/man8/sudoreplay.8%{?ext_man}
%{_mandir}/man8/visudo.8%{?ext_man}
%{_mandir}/man5/sudo_logsrv.proto.5%{?ext_man}
%{_mandir}/man5/sudo_logsrvd.conf.5%{?ext_man}
%{_mandir}/man8/sudo_logsrvd.8%{?ext_man}
%{_mandir}/man8/sudo_sendlog.8%{?ext_man}
%config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers
%attr(0750,root,root) %dir %{_sysconfdir}/sudoers.d
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo.conf
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf
%if %{defined use_usretc}
%{_distconfdir}/pam.d/sudo
%{_distconfdir}/pam.d/sudo-i
%else
%config(noreplace) %{_sysconfdir}/pam.d/sudo
%config(noreplace) %{_sysconfdir}/pam.d/sudo-i
%endif
%attr(4755,root,root) %{_bindir}/sudo
%{_bindir}/sudoedit
%{_bindir}/sudoreplay
%{_bindir}/cvtsudoers
%{_sbindir}/visudo
%{_sbindir}/sudo_logsrvd
%{_sbindir}/sudo_sendlog
%dir %{_libexecdir}/%{name}
%{_libexecdir}/%{name}/sesh
%{_libexecdir}/%{name}/sudo_noexec.so
%dir %{_libexecdir}/%{name}/%{name}
%{_libexecdir}/%{name}/%{name}/sudoers.so
%{_libexecdir}/%{name}/%{name}/group_file.so
%{_libexecdir}/%{name}/%{name}/system_group.so
%{_libexecdir}/%{name}/%{name}/audit_json.so
%{_libexecdir}/%{name}/%{name}/sample_approval.so
%{_libexecdir}/%{name}/%{name}/sudo_intercept.so
%{_libexecdir}/%{name}/libsudo_util.so.*
%attr(0711,root,root) %dir %ghost %{_localstatedir}/lib/%{name}
%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/%{name}/ts
%dir %{_tmpfilesdir}
%{_tmpfilesdir}/sudo.conf
%files plugin-python
%{_mandir}/man8/sudo_plugin_python.8%{?ext_man}
%{_libexecdir}/%{name}/%{name}/python_plugin.so
%files devel
%doc plugins/sample/sample_plugin.c
%{_includedir}/sudo_plugin.h
%{_mandir}/man8/sudo_plugin.8%{?ext_man}
%attr(0644,root,root) %{_libexecdir}/%{name}/libsudo_util.so
%{_libexecdir}/%{name}/sudo/*.la
%{_libexecdir}/%{name}/*.la
%files test
%{_localstatedir}/lib/tests
%changelog
Reference in New Issue View Git Blame Copy Permalink