From af665bed116483e570c34f990ea9bd6986487221123d85b8a3eff0fc6da98f1b Mon Sep 17 00:00:00 2001 From: Petr Uzel Date: Wed, 23 Mar 2011 12:45:03 +0000 Subject: [PATCH] Accepting request 64993 from home:puzel:staging OBS-URL: https://build.opensuse.org/request/show/64993 OBS-URL: https://build.opensuse.org/package/show/Base:System/sudo?expand=0&rev=20 --- sudo-1.7.1-__P.diff | 12 -- sudo-1.7.1-defaults.diff | 14 --- sudo-1.7.1-pam_rhost.diff | 14 --- sudo-1.7.1-secure_path.diff | 57 --------- sudo-1.7.1-strip.diff | 19 --- sudo-1.7.1-sudoers.diff | 46 ------- sudo-1.7.2p7.tar.gz | 3 - sudo-1.8.0.tar.bz2 | 3 + sudo-CVE-2011-0010.patch | 93 -------------- sudo-dont-ignore-LDFLAGS.patch | 13 ++ sudo-sudoers.patch | 80 ++++++++++++ sudo.changes | 38 ++++++ sudo.spec | 116 ++++++++++-------- sudo-1.7.1-env.diff => sudoers2ldif-env.patch | 6 +- 14 files changed, 202 insertions(+), 312 deletions(-) delete mode 100644 sudo-1.7.1-__P.diff delete mode 100644 sudo-1.7.1-defaults.diff delete mode 100644 sudo-1.7.1-pam_rhost.diff delete mode 100644 sudo-1.7.1-secure_path.diff delete mode 100644 sudo-1.7.1-strip.diff delete mode 100644 sudo-1.7.1-sudoers.diff delete mode 100644 sudo-1.7.2p7.tar.gz create mode 100644 sudo-1.8.0.tar.bz2 delete mode 100644 sudo-CVE-2011-0010.patch create mode 100644 sudo-dont-ignore-LDFLAGS.patch create mode 100644 sudo-sudoers.patch rename sudo-1.7.1-env.diff => sudoers2ldif-env.patch (50%) diff --git a/sudo-1.7.1-__P.diff b/sudo-1.7.1-__P.diff deleted file mode 100644 index 51091a5..0000000 --- a/sudo-1.7.1-__P.diff +++ /dev/null @@ -1,12 +0,0 @@ -Index: compat.h -=================================================================== ---- compat.h.orig -+++ compat.h -@@ -29,6 +29,7 @@ - */ - - /* Deal with ANSI stuff reasonably. */ -+#undef __P - #ifndef __P - # if defined (__cplusplus) || defined (__STDC__) - # define __P(args) args diff --git a/sudo-1.7.1-defaults.diff b/sudo-1.7.1-defaults.diff deleted file mode 100644 index 85d7b92..0000000 --- a/sudo-1.7.1-defaults.diff +++ /dev/null @@ -1,14 +0,0 @@ -Index: defaults.c -=================================================================== ---- defaults.c.orig -+++ defaults.c -@@ -418,9 +418,6 @@ init_defaults() - #ifdef FQDN - def_fqdn = TRUE; - #endif --#ifdef USE_INSULTS -- def_insults = TRUE; --#endif - #ifdef ENV_EDITOR - def_env_editor = TRUE; - #endif diff --git a/sudo-1.7.1-pam_rhost.diff b/sudo-1.7.1-pam_rhost.diff deleted file mode 100644 index cd835fb..0000000 --- a/sudo-1.7.1-pam_rhost.diff +++ /dev/null @@ -1,14 +0,0 @@ -Index: auth/pam.c -=================================================================== ---- auth/pam.c.orig -+++ auth/pam.c -@@ -111,7 +111,9 @@ pam_init(pw, promptp, auth) - * We set PAM_RHOST to avoid a bug in Solaris 7 and below. - */ - (void) pam_set_item(pamh, PAM_RUSER, user_name); -+#if 0 /* we don't care about Solaris bugs */ - (void) pam_set_item(pamh, PAM_RHOST, user_host); -+#endif - - /* - * Some versions of pam_lastlog have a bug that diff --git a/sudo-1.7.1-secure_path.diff b/sudo-1.7.1-secure_path.diff deleted file mode 100644 index 62b5fd5..0000000 --- a/sudo-1.7.1-secure_path.diff +++ /dev/null @@ -1,57 +0,0 @@ -Index: env.c -=================================================================== ---- env.c.orig -+++ env.c -@@ -700,7 +700,7 @@ rebuild_env(sudo_mode, noexec) - } - } - /* Replace the PATH envariable with a secure one? */ -- if (def_secure_path && !user_is_exempt()) { -+ if (def_secure_path && !user_is_exempt() && def_env_reset) { - sudo_setenv("PATH", def_secure_path, TRUE); - SET(didvar, DID_PATH); - } -Index: find_path.c -=================================================================== ---- find_path.c.orig -+++ find_path.c -@@ -87,7 +87,7 @@ find_path(infile, outfile, sbp, path) - } - - /* Use PATH passed in unless SECURE_PATH is in effect. */ -- if (def_secure_path && !user_is_exempt()) -+ if (def_secure_path && !user_is_exempt() && def_env_reset) - path = def_secure_path; - else if (path == NULL) - return(NOT_FOUND); -Index: logging.c -=================================================================== ---- logging.c.orig -+++ logging.c -@@ -434,7 +434,7 @@ send_mail(line) - #ifndef NO_ROOT_MAILER - static char *root_envp[] = { - "HOME=/", -- "PATH=/usr/bin:/bin", -+ "PATH=/usr/sbin:/bin:/usr/bin:/sbin", - "LOGNAME=root", - "USERNAME=root", - "USER=root", -Index: pathnames.h.in -=================================================================== ---- pathnames.h.in.orig -+++ pathnames.h.in -@@ -41,9 +41,10 @@ - #define _PATH_DEVNULL "/dev/null" - #endif /* _PATH_DEVNULL */ - --#ifndef _PATH_DEFPATH --#define _PATH_DEFPATH "/usr/bin:/bin" --#endif /* _PATH_DEFPATH */ -+/* -+ * _PATH_DEFPATH included from contains only "/usr/bin:/bin" -+ */ -+#define _PATH_DEFPATH "/usr/sbin:/bin:/usr/bin:/sbin" - - #ifndef _PATH_ENVIRONMENT - #define _PATH_ENVIRONMENT "/etc/environment" diff --git a/sudo-1.7.1-strip.diff b/sudo-1.7.1-strip.diff deleted file mode 100644 index 51bb568..0000000 --- a/sudo-1.7.1-strip.diff +++ /dev/null @@ -1,19 +0,0 @@ -Index: Makefile.in -=================================================================== ---- Makefile.in.orig -+++ Makefile.in -@@ -417,11 +417,11 @@ install-dirs: - $(DESTDIR)$(noexecdir) - - install-binaries: install-dirs $(PROGS) -- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 -s sudo $(DESTDIR)$(sudodir)/sudo -+ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 4111 sudo $(DESTDIR)$(sudodir)/sudo - rm -f $(DESTDIR)$(sudodir)/sudoedit - ln $(DESTDIR)$(sudodir)/sudo $(DESTDIR)$(sudodir)/sudoedit -- $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s visudo $(DESTDIR)$(visudodir)/visudo --@SELINUX@ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 -s sesh $(DESTDIR)$(libexecdir)/sesh -+ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 visudo $(DESTDIR)$(visudodir)/visudo -+@SELINUX@ $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0111 sesh $(DESTDIR)$(libexecdir)/sesh - - install-noexec: install-dirs sudo_noexec.la - test -f .libs/$(noexecfile) && $(INSTALL) -O $(install_uid) -G $(install_gid) -M 0755 .libs/$(noexecfile) $(DESTDIR)$(noexecdir) diff --git a/sudo-1.7.1-sudoers.diff b/sudo-1.7.1-sudoers.diff deleted file mode 100644 index 68d3c78..0000000 --- a/sudo-1.7.1-sudoers.diff +++ /dev/null @@ -1,46 +0,0 @@ -Index: sudo.man.in -=================================================================== ---- sudo.man.in.orig -+++ sudo.man.in -@@ -190,8 +190,8 @@ is initialized based on the group file ( - specified). If the invoking user is root or if the target user is - the same as the invoking user, no password is required. Otherwise, - \&\fBsudo\fR requires that users authenticate themselves with a password --by default (\s-1NOTE:\s0 in the default configuration this is the user's --password, not the root password). Once a user has been authenticated, -+by default (\s-1NOTE:\s0 in the default configuration this is the root -+password, not the user's password). Once a user has been authenticated, - a timestamp is updated and the user may then use sudo without a - password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless - overridden in \fIsudoers\fR). -Index: sudoers -=================================================================== ---- sudoers.orig -+++ sudoers -@@ -15,6 +15,26 @@ - - # Defaults specification - -+# Prevent environment variables from influencing programs in an -+# unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) -+Defaults always_set_home -+Defaults env_reset -+# Change env_reset to !env_reset in previous line to keep all environment variables -+# Following list will no longer be necessary after this change -+ -+Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" -+# Comment out the preceding line and uncomment the following one if you need -+# to use special input methods. This may allow users to compromise the root -+# account if they are allowed to run commands without authentication. -+#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" -+ -+# In the default (unconfigured) configuration, sudo asks for the root password. -+# This allows use of an ordinary user account for administration of a freshly -+# installed system. When configuring sudo, delete the two -+# following lines: -+Defaults targetpw # ask for the password of the target user i.e. root -+ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! -+ - # Runas alias specification - - # User privilege specification diff --git a/sudo-1.7.2p7.tar.gz b/sudo-1.7.2p7.tar.gz deleted file mode 100644 index 4d78278..0000000 --- a/sudo-1.7.2p7.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:07a9c83e628a088314523e558236ac3c4cb0d54d7d7093e5b3e4c8101b1a2bea -size 772356 diff --git a/sudo-1.8.0.tar.bz2 b/sudo-1.8.0.tar.bz2 new file mode 100644 index 0000000..ee304cf --- /dev/null +++ b/sudo-1.8.0.tar.bz2 @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cc246ed848ae493db5da5643c5b75cd749e2d552d48273d249a72cd711a3415b +size 930401 diff --git a/sudo-CVE-2011-0010.patch b/sudo-CVE-2011-0010.patch deleted file mode 100644 index 0f868a9..0000000 --- a/sudo-CVE-2011-0010.patch +++ /dev/null @@ -1,93 +0,0 @@ -# User Todd C. Miller -# Date 1294760019 18000 -# Node ID fe8a94f96542335c02d09fba81077c1dcc6381b5 -# Parent 8f9303326db73a2e00cd53c2515db8188386cfc0 -If the user is running sudo as himself but as a different group we -need to prompt for a password. - -Index: sudo-1.7.2p7/check.c -=================================================================== ---- sudo-1.7.2p7.orig/check.c -+++ sudo-1.7.2p7/check.c -@@ -93,7 +93,13 @@ check_user(validated, mode) - /* do not check or update timestamp */ - status = TS_ERROR; - } else { -- if (user_uid == 0 || user_uid == runas_pw->pw_uid || user_is_exempt()) -+ /* -+ * Don't prompt for the root passwd or if the user is exempt. -+ * If the user is not changing uid/gid, no need for a password. -+ */ -+ if (user_uid == 0 || (user_uid == runas_pw->pw_uid && -+ (!runas_gr || user_in_group(sudo_user.pw, runas_gr->gr_name))) || -+ user_is_exempt()) - return; - - build_timestamp(×tampdir, ×tampfile); -Index: sudo-1.7.2p7/pwutil.c -=================================================================== ---- sudo-1.7.2p7.orig/pwutil.c -+++ sudo-1.7.2p7/pwutil.c -@@ -565,3 +565,50 @@ sudo_endgrent() - sudo_freegrcache(); - #endif - } -+ -+ -+int -+user_in_group(struct passwd *pw, const char *group) -+{ -+ char **gr_mem; -+ int i; -+ struct group *grp; -+ int retval = FALSE; -+ -+ grp = sudo_getgrnam(group); -+ if (grp == NULL) -+ goto done; -+ -+ /* check against user's primary (passwd file) gid */ -+ if (grp->gr_gid == pw->pw_gid) { -+ retval = TRUE; -+ goto done; -+ } -+ -+ /* -+ * If we are matching the invoking or list user and that user has a -+ * supplementary group vector, check it. -+ */ -+ if (user_ngroups > 0 && -+ strcmp(pw->pw_name, list_pw ? list_pw->pw_name : user_name) == 0) { -+ for (i = 0; i < user_ngroups; i++) { -+ if (grp->gr_gid == user_groups[i]) { -+ retval = TRUE; -+ goto done; -+ } -+ } -+ } else -+ { -+ if (grp != NULL && grp->gr_mem != NULL) { -+ for (gr_mem = grp->gr_mem; *gr_mem; gr_mem++) { -+ if (strcmp(*gr_mem, pw->pw_name) == 0) { -+ retval = TRUE; -+ goto done; -+ } -+ } -+ } -+ } -+ -+done: -+ return(retval); -+} -Index: sudo-1.7.2p7/sudo.h -=================================================================== ---- sudo-1.7.2p7.orig/sudo.h -+++ sudo-1.7.2p7/sudo.h -@@ -316,6 +316,7 @@ struct passwd *sudo_getpwuid __P((uid_t) - struct group *sudo_getgrnam __P((const char *)); - struct group *sudo_fakegrnam __P((const char *)); - struct group *sudo_getgrgid __P((gid_t)); -+int user_in_group(struct passwd *pw, const char *group); - #ifdef HAVE_SELINUX - void selinux_exec __P((char *, char *, char **, int)); - #endif diff --git a/sudo-dont-ignore-LDFLAGS.patch b/sudo-dont-ignore-LDFLAGS.patch new file mode 100644 index 0000000..9a52a83 --- /dev/null +++ b/sudo-dont-ignore-LDFLAGS.patch @@ -0,0 +1,13 @@ +Index: sudo-1.8.0/plugins/sudoers/Makefile.in +=================================================================== +--- sudo-1.8.0.orig/plugins/sudoers/Makefile.in ++++ sudo-1.8.0/plugins/sudoers/Makefile.in +@@ -55,7 +55,7 @@ CPPFLAGS = -I$(incdir) -I$(top_builddir) + CFLAGS = @CFLAGS@ + + # Flags to pass to the link stage +-LDFLAGS = ++LDFLAGS = @LDFLAGS@ + SUDOERS_LDFLAGS = @SUDOERS_LDFLAGS@ + + # Where to install things... diff --git a/sudo-sudoers.patch b/sudo-sudoers.patch new file mode 100644 index 0000000..a2810f6 --- /dev/null +++ b/sudo-sudoers.patch @@ -0,0 +1,80 @@ +Index: sudo-1.8.0/plugins/sudoers/sudoers.in +=================================================================== +--- sudo-1.8.0.orig/plugins/sudoers/sudoers.in ++++ sudo-1.8.0/plugins/sudoers/sudoers.in +@@ -31,37 +31,36 @@ + ## + ## Defaults specification + ## +-## You may wish to keep some of the following environment variables +-## when running commands via sudo. +-## +-## Locale settings +-# Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET" +-## +-## Run X applications through sudo; HOME is used to find the +-## .Xauthority file. Note that other programs use HOME to find +-## configuration files and this may lead to privilege escalation! +-# Defaults env_keep += "HOME" +-## +-## X11 resource path settings +-# Defaults env_keep += "XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH" +-## +-## Desktop path settings +-# Defaults env_keep += "QTDIR KDEDIR" +-## +-## Allow sudo-run commands to inherit the callers' ConsoleKit session +-# Defaults env_keep += "XDG_SESSION_COOKIE" +-## +-## Uncomment to enable special input methods. Care should be taken as +-## this may allow users to subvert the command being run via sudo. +-# Defaults env_keep += "XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ++## Prevent environment variables from influencing programs in an ++## unexpected or harmful way (CVE-2005-2959, CVE-2005-4158, CVE-2006-0151) ++Defaults always_set_home ++Defaults env_reset ++## Change env_reset to !env_reset in previous line to keep all environment variables ++## Following list will no longer be necessary after this change ++ ++Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE" ++## Comment out the preceding line and uncomment the following one if you need ++## to use special input methods. This may allow users to compromise the root ++## account if they are allowed to run commands without authentication. ++#Defaults env_keep = "LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE XMODIFIERS GTK_IM_MODULE QT_IM_MODULE QT_IM_SWITCHER" ++ ++## Do not insult users when they enter an incorrect password. ++Defaults !insults ++ + ## + ## Uncomment to enable logging of a command's output, except for + ## sudoreplay and reboot. Use sudoreplay to play back logged sessions. + # Defaults log_output + # Defaults!/usr/bin/sudoreplay !log_output +-# Defaults!/usr/local/bin/sudoreplay !log_output + # Defaults!/sbin/reboot !log_output + ++## In the default (unconfigured) configuration, sudo asks for the root password. ++## This allows use of an ordinary user account for administration of a freshly ++## installed system. When configuring sudo, delete the two ++## following lines: ++Defaults targetpw # ask for the password of the target user i.e. root ++ALL ALL=(ALL) ALL # WARNING! Only use this together with 'Defaults targetpw'! ++ + ## + ## Runas alias specification + ## +@@ -77,14 +76,6 @@ root ALL=(ALL) ALL + ## Same thing without a password + # %wheel ALL=(ALL) NOPASSWD: ALL + +-## Uncomment to allow members of group sudo to execute any command +-# %sudo ALL=(ALL) ALL +- +-## Uncomment to allow any user to run sudo if they know the password +-## of the user they are running the command as (root by default). +-# Defaults targetpw # Ask for the password of the target user +-# ALL ALL=(ALL) ALL # WARNING: only use this together with 'Defaults targetpw' +- + ## Read drop-in files from @sysconfdir@/sudoers.d + ## (the '#' here does not indicate a comment) + #includedir @sysconfdir@/sudoers.d diff --git a/sudo.changes b/sudo.changes index 1d9c577..2472a1e 100644 --- a/sudo.changes +++ b/sudo.changes @@ -1,3 +1,41 @@ +------------------------------------------------------------------- +Thu Mar 17 10:24:49 UTC 2011 - puzel@novell.com + +- update to sudo-1.8.0 + * Sudo has been refactored to use a modular framework that can + support third-party policy and I/O logging plugins. + * Defaults settings that are tied to a user, host or command may + now include the negation operator. For example: + Defaults:!millert lecture + will match any user but millert. + * The default PATH environment variable, used when no PATH + variable exists, now includes /usr/sbin and /sbin. + * Support for logging I/O for the command being run. + * Sudo will now use the Linux audit system. + + See /usr/share/doc/packages/sudo/NEWS for full list +- new configure script flags: enable-warnings, with-linux-audit, + docdir, with-sendmail +- BuildRequires += audit-devel +- BuildRequires -= postfix +- PreReq += permissions +- add sudo-dont-ignore-LDFLAGS.patch +- drop sudo-1.7.1-defaults.diff (insults disabled in sudoers) +- drop sudo-1.7.1-__P.diff (no more __P in sudo sources) +- drop sudo-1.7.1-strip.diff (sudo no longer strips binaries) +- drop sudo-CVE-2011-0010.patch (in upstream) +- drop sudo-1.7.1-secure_path.diff (sudo now adds /sbin and + /usr/sbin to $PATH if it is empty) +- drop sudo-1.7.1-pam_rhost.diff (fixed in upstream) +- sudo-1.7.1-sudoers.diff renamed to sudo-sudoers.patch +- sudo-1.7.1-env.diff renamed to sudoers2ldif-env.patch +- do not package *.pod files +- use %verifyscript +- timestamp directory moved from /var/run/sudo to /var/lib/sudo +- better commented default /etc/sudoers +- packaged /etc/sudoers.d directory +- new sudo-devel subpackage +- cleaned specfile + ------------------------------------------------------------------- Thu Jan 27 09:18:05 UTC 2011 - cprause@novell.com diff --git a/sudo.spec b/sudo.spec index e3f3acd..39d6a09 100644 --- a/sudo.spec +++ b/sudo.spec @@ -1,7 +1,7 @@ # -# spec file for package sudo (Version 1.7.2p7) +# spec file for package sudo # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -15,30 +15,27 @@ # Please submit bugfixes or comments via http://bugs.opensuse.org/ # -# norootforbuild Name: sudo -BuildRequires: openldap2-devel pam-devel postfix -BuildRequires: libselinux-devel -PreReq: coreutils -Version: 1.7.2p7 -Release: 4 -Group: System/Base +Version: 1.8.0 +Release: 5 License: BSD3c(or similar) -Url: http://www.sudo.ws/ Summary: Execute some commands as root -Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.gz -Source1: %{name}.pamd +Url: http://www.sudo.ws/ +Group: System/Base +Source0: http://sudo.ws/sudo/dist/%{name}-%{version}.tar.bz2 +Source1: sudo.pamd Source2: README.SUSE -Patch1: %{name}-1.7.1-defaults.diff -Patch2: %{name}-1.7.1-sudoers.diff -Patch3: %{name}-1.7.1-__P.diff -Patch4: %{name}-1.7.1-strip.diff -Patch5: %{name}-1.7.1-secure_path.diff -Patch6: %{name}-1.7.1-env.diff -Patch7: %{name}-1.7.1-pam_rhost.diff -Patch8: sudo-CVE-2011-0010.patch +Patch1: sudoers2ldif-env.patch +Patch2: sudo-dont-ignore-LDFLAGS.patch +Patch3: sudo-sudoers.patch +BuildRequires: audit-devel +BuildRequires: libselinux-devel +BuildRequires: openldap2-devel +BuildRequires: pam-devel +PreReq: coreutils +PreReq: permissions BuildRoot: %{_tmppath}/%{name}-%{version}-build %description @@ -50,25 +47,19 @@ things. Sudo asks for the password for initializing a check period of a given time N (where N is defined at installation and is set to 5 minutes by default). +%package devel +License: BSD3c(or similar) +Summary: Header files needed for sudo plugin development +Group: Development/Libraries/C and C++ - -Authors: --------- - Jeff Nieusma - David Hieb - Ian McCloghrie +%description devel +These header files are needed for building of sudo plugins. %prep %setup -q -%patch1 -%patch2 -%patch3 -%patch4 -%patch5 -%patch6 -%patch7 -%patch8 -p1 -cp %{SOURCE2} . +%patch1 -p1 +%patch2 -p1 +%patch3 -p1 %build %ifarch s390 s390x %sparc @@ -76,56 +67,79 @@ F_PIE=-fPIE %else F_PIE=-fpie %endif -export CFLAGS="$RPM_OPT_FLAGS -Wall $F_PIE -DLDAP_DEPRECATED" +export CFLAGS="%{optflags} -Wall $F_PIE -DLDAP_DEPRECATED" export LDFLAGS="-pie" %configure \ --libexecdir=%{_libexecdir}/sudo \ + --docdir=%{_docdir}/%{name} \ --with-noexec=%{_libexecdir}/sudo/sudo_noexec.so \ + --with-pam \ + --with-ldap \ --with-selinux \ + --with-linux-audit \ --with-logfac=auth \ --with-insults \ --with-all-insults \ --with-ignore-dot \ --with-tty-tickets \ --enable-shell-sets-home \ + --enable-warnings \ + --with-sendmail=%{_sbindir}/sendmail \ --with-sudoers-mode=0440 \ - --with-pam \ - --with-ldap \ --with-env-editor \ --without-secure-path \ --with-passprompt='%%p\x27s password:' make %{?_smp_mflags} %install -make DESTDIR=$RPM_BUILD_ROOT install -install -d -m 700 $RPM_BUILD_ROOT%{_localstatedir}/run/sudo -install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/pam.d -install -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/sudo -install -m 755 sudoers2ldif $RPM_BUILD_ROOT%{_sbindir}/sudoers2ldif -rm -f $RPM_BUILD_ROOT%{_bindir}/sudoedit -ln -sf %{_bindir}/sudo $RPM_BUILD_ROOT%{_bindir}/sudoedit -install -d -m 755 $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema -install -m 644 schema.OpenLDAP $RPM_BUILD_ROOT%{_sysconfdir}/openldap/schema/sudo.schema +%make_install +install -d -m 755 %{buildroot}%{_sysconfdir}/pam.d +install -m 644 %{SOURCE1} %{buildroot}%{_sysconfdir}/pam.d/sudo +mv %{buildroot}%{_docdir}/%{name}/sudoers2ldif %{buildroot}%{_sbindir} +rm -f %{buildroot}%{_bindir}/sudoedit +ln -sf %{_bindir}/sudo %{buildroot}%{_bindir}/sudoedit +install -d -m 755 %{buildroot}%{_sysconfdir}/openldap/schema +install -m 644 doc/schema.OpenLDAP %{buildroot}%{_sysconfdir}/openldap/schema/sudo.schema +install -m 644 %{SOURCE2} %{buildroot}%{_docdir}/%{name}/ +rm -f %{buildroot}%{_docdir}/%{name}/sample.pam +rm -f %{buildroot}%{_docdir}/%{name}/sample.syslog.conf +rm -f %{buildroot}%{_docdir}/%{name}/schema.OpenLDAP +rm -f %{buildroot}%{_libexecdir}/%{name}/sudoers.la %post chmod 0440 %{_sysconfdir}/sudoers +%if 0%{?suse_version} <= 1130 +%run_permissions +%else +%set_permissions /usr/bin/sudo +%endif + +%verifyscript +%verify_permissions -e /usr/bin/sudo %clean -rm -rf $RPM_BUILD_ROOT +rm -rf %{buildroot} %files %defattr(-,root,root) -%doc HISTORY LICENSE PORTING README README.LDAP README.SUSE TROUBLESHOOTING UPGRADE WHATSNEW *.pod +%doc %{_docdir}/%{name} %doc %{_mandir}/man?/* %config(noreplace) %attr(0440,root,root) %{_sysconfdir}/sudoers +%dir %{_sysconfdir}/sudoers.d %config %{_sysconfdir}/pam.d/sudo %attr(4755,root,root) %{_bindir}/sudo %dir %{_sysconfdir}/openldap %dir %{_sysconfdir}/openldap/schema %attr(0444,root,root) %config %{_sysconfdir}/openldap/schema/sudo.schema %{_bindir}/sudoedit -%{_sbindir}/* +%{_bindir}/sudoreplay +%{_sbindir}/visudo +%attr(0755,root,root) %{_sbindir}/sudoers2ldif %{_libexecdir}/sudo -%{_localstatedir}/run/sudo +%attr(0700,root,root) %dir %ghost %{_localstatedir}/lib/sudo + +%files devel +%defattr(-,root,root) +%{_includedir}/sudo_plugin.h %changelog diff --git a/sudo-1.7.1-env.diff b/sudoers2ldif-env.patch similarity index 50% rename from sudo-1.7.1-env.diff rename to sudoers2ldif-env.patch index c9fad91..dd58da8 100644 --- a/sudo-1.7.1-env.diff +++ b/sudoers2ldif-env.patch @@ -1,7 +1,7 @@ -Index: sudoers2ldif +Index: sudo-1.8.0/plugins/sudoers/sudoers2ldif =================================================================== ---- sudoers2ldif.orig -+++ sudoers2ldif +--- sudo-1.8.0.orig/plugins/sudoers/sudoers2ldif ++++ sudo-1.8.0/plugins/sudoers/sudoers2ldif @@ -1,4 +1,4 @@ -#!/usr/bin/env perl +#!/usr/bin/perl