[gentoo-commits] gentoo-x86 commit in app-admin/sudo: ChangeLog sudo-1.7.1_rc1.ebuild sudo-1.7.1_beta5.ebuild - gentoo-commits

From:	"Diego Petteno (flameeyes)" <flameeyes@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-admin/sudo: ChangeLog sudo-1.7.1_rc1.ebuild sudo-1.7.1_beta5.ebuild
Date:	Wed, 08 Apr 2009 17:28:24
Message-Id:	`E1LrbZW-00013J-4W@stork.gentoo.org`

1

flameeyes    09/04/08 17:28:22

2

3

  Modified:             ChangeLog

4

  Added:                sudo-1.7.1_rc1.ebuild

5

  Removed:              sudo-1.7.1_beta5.ebuild

6

  Log:

7

  Bump the development version to the first release candidate. Take out of package.mask since it seems quite stable.

8

  (Portage version: 2.2_rc28/cvs/Linux x86_64)

9

10

Revision  Changes    Path

11

1.170                app-admin/sudo/ChangeLog

12

13

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.170&view=markup

14

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.170&content-type=text/plain

15

diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.169&r2=1.170

16

17

Index: ChangeLog

18

===================================================================

19

RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v

20

retrieving revision 1.169

21

retrieving revision 1.170

22

diff -u -r1.169 -r1.170

23

--- ChangeLog	30 Mar 2009 15:11:48 -0000	1.169

24

+++ ChangeLog	8 Apr 2009 17:28:22 -0000	1.170

25

@@ -1,6 +1,13 @@

26

 # ChangeLog for app-admin/sudo

27

 # Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2

28

-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.169 2009/03/30 15:11:48 flameeyes Exp $

29

+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.170 2009/04/08 17:28:22 flameeyes Exp $

30

+

31

+*sudo-1.7.1_rc1 (08 Apr 2009)

32

+

33

+  08 Apr 2009; Diego E. Pettenò <flameeyes@g.o>

34

+  -sudo-1.7.1_beta5.ebuild, +sudo-1.7.1_rc1.ebuild:

35

+  Bump the development version to the first release candidate. Take out of

36

+  package.mask since it seems quite stable.

37

38

   30 Mar 2009; Diego E. Pettenò <flameeyes@g.o> -files/sudo,

39

   -files/sudoers, -sudo-1.6.9_p17.ebuild:

1.1                  app-admin/sudo/sudo-1.7.1_rc1.ebuild

44

45

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1_rc1.ebuild?rev=1.1&view=markup

46

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1_rc1.ebuild?rev=1.1&content-type=text/plain

47

48

Index: sudo-1.7.1_rc1.ebuild

49

===================================================================

50

# Copyright 1999-2009 Gentoo Foundation

51

# Distributed under the terms of the GNU General Public License v2

52

# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.1_rc1.ebuild,v 1.1 2009/04/08 17:28:22 flameeyes Exp $

53

54

inherit eutils pam confutils

55

56

MY_P=${P/_/}

57

MY_P=${MY_P/beta/b}

58

59

case "${P}" in

60

	*_beta* | *_rc*)

61

		uri_prefix=beta/

62

;;

63

*)

64

		uri_prefix=""

65

;;

66

esac

67

68

DESCRIPTION="Allows users or groups to run commands as other users"

69

HOMEPAGE="http://www.sudo.ws/"

70

SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"

71

LICENSE="Sudo"

72

SLOT="0"

73

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"

74

IUSE="pam skey offensive ldap selinux"

75

76

DEPEND="pam? ( virtual/pam )

77

	ldap? (

78

		>=net-nds/openldap-2.1.30-r1

79

		dev-libs/cyrus-sasl

80

)

81

	skey? ( >=sys-auth/skey-1.1.5-r1 )

82

	virtual/editor

83

	virtual/mta"

84

RDEPEND="selinux? ( sec-policy/selinux-sudo )

85

	ldap? ( dev-lang/perl )

86

	pam? ( sys-auth/pambase )

87

	${DEPEND}"

88

DEPEND="${DEPEND} sys-devel/bison"

89

90

S=${WORKDIR}/${MY_P}

91

92

pkg_setup() {

93

	confutils_use_conflict skey pam

94

}

95

96

src_unpack() {

97

	unpack ${A}; cd "${S}"

98

99

	# compatability fix.

100

	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff

101

102

	# additional variables to disallow, should user disable env_reset.

103

104

	# NOTE: this is not a supported mode of operation, these variables

105

	#       are added to the blacklist as a convenience to administrators

106

	#       who fail to heed the warnings of allowing untrusted users

107

	#       to access sudo.

108

#

109

	#       there is *no possible way* to foresee all attack vectors in

110

	#       all possible applications that could potentially be used via

111

	#       sudo, these settings will just delay the inevitable.

112

#

113

	#       that said, I will accept suggestions for variables that can

114

	#       be misused in _common_ interpreters or libraries, such as

115

	#       perl, bash, python, ruby, etc., in the hope of dissuading

116

	#       a casual attacker.

117

118

	# XXX: perl should be using suid_perl.

119

	# XXX: users can remove/add more via env_delete and env_check.

120

	# XXX: <?> = probably safe enough for most circumstances.

121

122

	einfo "Blacklisting common variables (env_delete)..."

123

		sudo_bad_var() {

124

			local target='env.c' marker='\*initial_badenv_table\[\]'

125

126

			ebegin "	$1"

127

			sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}

128

			eend $?

129

}

130

131

		sudo_bad_var 'PERLIO_DEBUG'   # perl, write debug to file.

132

		sudo_bad_var 'FPATH'          # ksh, search path for functions.

133

		sudo_bad_var 'NULLCMD'        # zsh, command on null-redir. <?>

134

		sudo_bad_var 'READNULLCMD'    # zsh, command on null-redir. <?>

135

		sudo_bad_var 'GLOBIGNORE'     # bash, glob paterns to ignore. <?>

136

		sudo_bad_var 'PYTHONHOME'     # python, module search path.

137

		sudo_bad_var 'PYTHONPATH'     # python, search path.

138

		sudo_bad_var 'PYTHONINSPECT'  # python, allow inspection.

139

		sudo_bad_var 'RUBYLIB'        # ruby, lib load path.

140

		sudo_bad_var 'RUBYOPT'        # ruby, cl options.

141

		sudo_bad_var 'ZDOTDIR'        # zsh, path to search for dotfiles.

142

	einfo "...done."

143

144

	# prevent binaries from being stripped.

145

	sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in

146

147

	# remove useless c++ checks

148

	epunt_cxx

149

}

150

151

src_compile() {

152

	local line ROOTPATH

153

154

	# FIXME: secure_path is a compile time setting. using ROOTPATH

155

	# is not perfect, env-update may invalidate this, but until it

156

	# is available as a sudoers setting this will have to do.

157

	einfo "Setting secure_path..."

158

159

		# why not use grep? variable might be expanded from other variables

160

		# declared in that file. cannot just source the file, would override

161

		# any variables already set.

162

		eval `PS4= bash -x /etc/profile.env 2>&1 | \

163

			while read line; do

164

				case $line in

165

					ROOTPATH=*) echo $line; break;;

166

					*) continue;;

167

				esac

168

			done`  && einfo "	Found ROOTPATH..." || \

169

				ewarn "	Failed to find ROOTPATH, please report this."

170

171

		# remove duplicate path entries from $1

172

		cleanpath() {

173

			local i=1 x n IFS=:

174

			local -a paths;	paths=($1)

175

176

			for ((n=${#paths[*]}-1;i<=n;i++)); do

177

				for ((x=0;x<i;x++)); do

178

					test "${paths[i]}" == "${paths[x]}" && {

179

						einfo "	Duplicate entry ${paths[i]} removed..." 1>&2

180

						unset paths[i]; continue 2; }

181

				done; # einfo "	Adding ${paths[i]}..." 1>&2

182

			done; echo "${paths[*]}"

183

}

184

185

		ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})

186

187

		# strip gcc path (bug #136027)

188

		rmpath() {

189

			declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:

190

			shift

191

			for thisp in $oldpath; do

192

				for e; do [[ $thisp == $e ]] && continue 2; done

193

				newpath=$newpath:$thisp

194

			done

195

			eval $PATHvar='${newpath#:}'

196

}

197

198

		rmpath ROOTPATH '*/gcc-bin/*'

199

200

	einfo "...done."

201

202

	# XXX: --disable-path-info closes an info leak, but may be confusing.

203

	# XXX: /bin/vi may not be available, make nano visudo's default.

204

	econf --with-secure-path="${ROOTPATH}" \

205

		--with-editor=/bin/nano \

206

		--with-env-editor \

207

		$(use_with offensive insults) \

208

		$(use_with offensive all-insults) \

209

		$(use_with pam) \

210

		$(use_with skey) \

211

		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \

212

		$(use_with ldap) || die

213

214

	emake || die

215

}

216

217

src_install() {

218

	emake DESTDIR="${D}" install || die

219

	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \

220

		UPGRADE WHATSNEW sample.sudoers sample.syslog.conf

221

222

	if use ldap; then

223

		dodoc README.LDAP schema.OpenLDAP

224

		dosbin sudoers2ldif

225

226

		cat - > "${T}"/ldap.conf.sudo <<EOF

227

# See ldap.conf(5) and README.LDAP for details\n"

228

# This file should only be readable by root\n\n"

229

# supported directives: host, port, ssl, ldap_version\n"

230

# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"

231

# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key

232

EOF

233

234

		insinto /etc

235

		doins "${T}"/ldap.conf.sudo

236

		fperms 0440 /etc/ldap.conf.sudo

237

fi

238

239

	pamd_mimic system-auth sudo auth account password session

240

241

	insinto /etc

242

	doins "${S}"/sudoers

243

	fperms 0440 /etc/sudoers

244

}

245

246

pkg_postinst() {

247

	if use ldap; then

248

		ewarn

249

		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."

250

		ewarn

251

		if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then

252

			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"

253

			ewarn "configured in /etc/nsswitch.conf."

254

			ewarn

255

			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"

256

			ewarn "  sudoers: ldap files"

257

			ewarn

258

fi

259

fi

260

}

1	flameeyes 09/04/08 17:28:22
2
3	Modified: ChangeLog
4	Added: sudo-1.7.1_rc1.ebuild
5	Removed: sudo-1.7.1_beta5.ebuild
6	Log:
7	Bump the development version to the first release candidate. Take out of package.mask since it seems quite stable.
8	(Portage version: 2.2_rc28/cvs/Linux x86_64)
9
10	Revision Changes Path
11	1.170 app-admin/sudo/ChangeLog
12
13	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.170&view=markup
14	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.170&content-type=text/plain
15	diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.169&r2=1.170
16
17	Index: ChangeLog
18	===================================================================
19	RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v
20	retrieving revision 1.169
21	retrieving revision 1.170
22	diff -u -r1.169 -r1.170
23	--- ChangeLog 30 Mar 2009 15:11:48 -0000 1.169
24	+++ ChangeLog 8 Apr 2009 17:28:22 -0000 1.170
25	@@ -1,6 +1,13 @@
26	# ChangeLog for app-admin/sudo
27	# Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2
28	-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.169 2009/03/30 15:11:48 flameeyes Exp $
29	+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.170 2009/04/08 17:28:22 flameeyes Exp $
30	+
31	+*sudo-1.7.1_rc1 (08 Apr 2009)
32	+
33	+ 08 Apr 2009; Diego E. Pettenò <flameeyes@g.o>
34	+ -sudo-1.7.1_beta5.ebuild, +sudo-1.7.1_rc1.ebuild:
35	+ Bump the development version to the first release candidate. Take out of
36	+ package.mask since it seems quite stable.
37
38	30 Mar 2009; Diego E. Pettenò <flameeyes@g.o> -files/sudo,
39	-files/sudoers, -sudo-1.6.9_p17.ebuild:
40
41
42
43	1.1 app-admin/sudo/sudo-1.7.1_rc1.ebuild
44
45	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1_rc1.ebuild?rev=1.1&view=markup
46	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1_rc1.ebuild?rev=1.1&content-type=text/plain
47
48	Index: sudo-1.7.1_rc1.ebuild
49	===================================================================
50	# Copyright 1999-2009 Gentoo Foundation
51	# Distributed under the terms of the GNU General Public License v2
52	# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.1_rc1.ebuild,v 1.1 2009/04/08 17:28:22 flameeyes Exp $
53
54	inherit eutils pam confutils
55
56	MY_P=${P/_/}
57	MY_P=${MY_P/beta/b}
58
59	case "${P}" in
60	_beta \| _rc)
61	uri_prefix=beta/
62	;;
63	*)
64	uri_prefix=""
65	;;
66	esac
67
68	DESCRIPTION="Allows users or groups to run commands as other users"
69	HOMEPAGE="http://www.sudo.ws/"
70	SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
71	LICENSE="Sudo"
72	SLOT="0"
73	KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
74	IUSE="pam skey offensive ldap selinux"
75
76	DEPEND="pam? ( virtual/pam )
77	ldap? (
78	>=net-nds/openldap-2.1.30-r1
79	dev-libs/cyrus-sasl
80	)
81	skey? ( >=sys-auth/skey-1.1.5-r1 )
82	virtual/editor
83	virtual/mta"
84	RDEPEND="selinux? ( sec-policy/selinux-sudo )
85	ldap? ( dev-lang/perl )
86	pam? ( sys-auth/pambase )
87	${DEPEND}"
88	DEPEND="${DEPEND} sys-devel/bison"
89
90	S=${WORKDIR}/${MY_P}
91
92	pkg_setup() {
93	confutils_use_conflict skey pam
94	}
95
96	src_unpack() {
97	unpack ${A}; cd "${S}"
98
99	# compatability fix.
100	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
101
102	# additional variables to disallow, should user disable env_reset.
103
104	# NOTE: this is not a supported mode of operation, these variables
105	# are added to the blacklist as a convenience to administrators
106	# who fail to heed the warnings of allowing untrusted users
107	# to access sudo.
108	#
109	# there is no possible way to foresee all attack vectors in
110	# all possible applications that could potentially be used via
111	# sudo, these settings will just delay the inevitable.
112	#
113	# that said, I will accept suggestions for variables that can
114	# be misused in _common_ interpreters or libraries, such as
115	# perl, bash, python, ruby, etc., in the hope of dissuading
116	# a casual attacker.
117
118	# XXX: perl should be using suid_perl.
119	# XXX: users can remove/add more via env_delete and env_check.
120	# XXX: <?> = probably safe enough for most circumstances.
121
122	einfo "Blacklisting common variables (env_delete)..."
123	sudo_bad_var() {
124	local target='env.c' marker='\*initial_badenv_table\[\]'
125
126	ebegin " $1"
127	sed -i 's#\(^.'${marker}'.$\)#\1\n\t"'${1}'",#' "${S}"/${target}
128	eend $?
129	}
130
131	sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file.
132	sudo_bad_var 'FPATH' # ksh, search path for functions.
133	sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?>
134	sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?>
135	sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?>
136	sudo_bad_var 'PYTHONHOME' # python, module search path.
137	sudo_bad_var 'PYTHONPATH' # python, search path.
138	sudo_bad_var 'PYTHONINSPECT' # python, allow inspection.
139	sudo_bad_var 'RUBYLIB' # ruby, lib load path.
140	sudo_bad_var 'RUBYOPT' # ruby, cl options.
141	sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
142	einfo "...done."
143
144	# prevent binaries from being stripped.
145	sed -i 's/\($(INSTALL).\) -s \(.[(sudo\|visudo)]\)/\1 \2/g' Makefile.in
146
147	# remove useless c++ checks
148	epunt_cxx
149	}
150
151	src_compile() {
152	local line ROOTPATH
153
154	# FIXME: secure_path is a compile time setting. using ROOTPATH
155	# is not perfect, env-update may invalidate this, but until it
156	# is available as a sudoers setting this will have to do.
157	einfo "Setting secure_path..."
158
159	# why not use grep? variable might be expanded from other variables
160	# declared in that file. cannot just source the file, would override
161	# any variables already set.
162	eval `PS4= bash -x /etc/profile.env 2>&1 \| \
163	while read line; do
164	case $line in
165	ROOTPATH=*) echo $line; break;;
166	*) continue;;
167	esac
168	done` && einfo " Found ROOTPATH..." \|\| \
169	ewarn " Failed to find ROOTPATH, please report this."
170
171	# remove duplicate path entries from $1
172	cleanpath() {
173	local i=1 x n IFS=:
174	local -a paths; paths=($1)
175
176	for ((n=${#paths[*]}-1;i<=n;i++)); do
177	for ((x=0;x<i;x++)); do
178	test "${paths[i]}" == "${paths[x]}" && {
179	einfo " Duplicate entry ${paths[i]} removed..." 1>&2
180	unset paths[i]; continue 2; }
181	done; # einfo " Adding ${paths[i]}..." 1>&2
182	done; echo "${paths[*]}"
183	}
184
185	ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
186
187	# strip gcc path (bug #136027)
188	rmpath() {
189	declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
190	shift
191	for thisp in $oldpath; do
192	for e; do [[ $thisp == $e ]] && continue 2; done
193	newpath=$newpath:$thisp
194	done
195	eval $PATHvar='${newpath#:}'
196	}
197
198	rmpath ROOTPATH '/gcc-bin/'
199
200	einfo "...done."
201
202	# XXX: --disable-path-info closes an info leak, but may be confusing.
203	# XXX: /bin/vi may not be available, make nano visudo's default.
204	econf --with-secure-path="${ROOTPATH}" \
205	--with-editor=/bin/nano \
206	--with-env-editor \
207	$(use_with offensive insults) \
208	$(use_with offensive all-insults) \
209	$(use_with pam) \
210	$(use_with skey) \
211	$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
212	$(use_with ldap) \|\| die
213
214	emake \|\| die
215	}
216
217	src_install() {
218	emake DESTDIR="${D}" install \|\| die
219	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \
220	UPGRADE WHATSNEW sample.sudoers sample.syslog.conf
221
222	if use ldap; then
223	dodoc README.LDAP schema.OpenLDAP
224	dosbin sudoers2ldif
225
226	cat - > "${T}"/ldap.conf.sudo <<EOF
227	# See ldap.conf(5) and README.LDAP for details\n"
228	# This file should only be readable by root\n\n"
229	# supported directives: host, port, ssl, ldap_version\n"
230	# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
231	# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
232	EOF
233
234	insinto /etc
235	doins "${T}"/ldap.conf.sudo
236	fperms 0440 /etc/ldap.conf.sudo
237	fi
238
239	pamd_mimic system-auth sudo auth account password session
240
241	insinto /etc
242	doins "${S}"/sudoers
243	fperms 0440 /etc/sudoers
244	}
245
246	pkg_postinst() {
247	if use ldap; then
248	ewarn
249	ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
250	ewarn
251	if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
252	ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
253	ewarn "configured in /etc/nsswitch.conf."
254	ewarn
255	ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
256	ewarn " sudoers: ldap files"
257	ewarn
258	fi
259	fi
260	}

Gentoo Archives: gentoo-commits