Gentoo Archives: gentoo-commits

From: Lars Wendler <polynomial-c@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/
Date: Fri, 31 Jan 2020 14:00:35
Message-Id: 1580479204.0daecc9a3722cbab10e8124eb19b8e89d00d624f.polynomial-c@gentoo
1 commit: 0daecc9a3722cbab10e8124eb19b8e89d00d624f
2 Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
3 AuthorDate: Fri Jan 31 13:54:44 2020 +0000
4 Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5 CommitDate: Fri Jan 31 14:00:04 2020 +0000
6 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0daecc9a
7
8 app-admin/sudo: Security bump to version 1.8.31
9
10 Bug: https://bugs.gentoo.org/707574
11 Package-Manager: Portage-2.3.86, Repoman-2.3.20
12 Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
13
14 app-admin/sudo/Manifest | 1 +
15 app-admin/sudo/sudo-1.8.31.ebuild | 263 ++++++++++++++++++++++++++++++++++++++
16 2 files changed, 264 insertions(+)
17
18 diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
19 index 388b5fb561c..6cf5fd993dd 100644
20 --- a/app-admin/sudo/Manifest
21 +++ b/app-admin/sudo/Manifest
22 @@ -1,3 +1,4 @@
23 DIST sudo-1.8.28p1.tar.gz 3310254 BLAKE2B a1810af7a42d05cce49bb9d0acf6f3731a5193e9e9c3b458691379131eb86d36995854d11c09525e8d999ed1da7e99cf170634667c5a444aa522b8f23db7d1aa SHA512 bda3de34c15fbb68fc29759542295560ccc1562b419d03709cea51613937e9b92ba689c79c3ef4858aeea90d3d1a4dc0148225b11b22cf82395ae1bad8cb1734
24 DIST sudo-1.8.29.tar.gz 3338260 BLAKE2B 7ba29d155bfb1d7ba20e32ade2e8ee3919e70400b6c235e313052b247b48406b9a051e71daa7e47fdb0a9fd0889f4c05b8a1a170c027503b90081e8cec81660e SHA512 ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340
25 DIST sudo-1.8.30.tar.gz 3349455 BLAKE2B 5e0aaa41f42c18cd0de473add3665adf797cd37eacfb4abfc9472814ea679c1e88e28e95e13a73eb7d9648174609d80a2d4eccf3bdf87a44186df07aeba60eee SHA512 d44831feabd92d736614239e0e0f086829d84b213c98524fffb4b926a96715b1156538a7ab5e0b6e0db8be67a6e24a1642b3648105b076d23b58c39d0dd947af
26 +DIST sudo-1.8.31.tar.gz 3350674 BLAKE2B de5a968732fdd58933b4c513d13c43a08cb50075a00c3e0d338c9892570a416a2b3a8f19940c0893715f4eeab991e804831a87ef656ffd91e7f1ba047c119261 SHA512 b9e408a322938c7a712458e9012d8a5f648fba5b23a5057cf5d8372c7f931262595f1575c32c32b9cb1a04af670ff4611e7df48d197e5c4cc038d6b65439a28a
27
28 diff --git a/app-admin/sudo/sudo-1.8.31.ebuild b/app-admin/sudo/sudo-1.8.31.ebuild
29 new file mode 100644
30 index 00000000000..944dd7d0353
31 --- /dev/null
32 +++ b/app-admin/sudo/sudo-1.8.31.ebuild
33 @@ -0,0 +1,263 @@
34 +# Copyright 1999-2020 Gentoo Authors
35 +# Distributed under the terms of the GNU General Public License v2
36 +
37 +EAPI=7
38 +
39 +inherit pam multilib libtool tmpfiles
40 +
41 +MY_P="${P/_/}"
42 +MY_P="${MY_P/beta/b}"
43 +
44 +DESCRIPTION="Allows users or groups to run commands as other users"
45 +HOMEPAGE="https://www.sudo.ws/"
46 +if [[ ${PV} == "9999" ]] ; then
47 + inherit mercurial
48 + EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
49 +else
50 + uri_prefix=
51 + case ${P} in
52 + *_beta*|*_rc*) uri_prefix=beta/ ;;
53 + esac
54 +
55 + SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
56 + ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
57 + if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
58 + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-solaris"
59 + fi
60 +fi
61 +
62 +# Basic license is ISC-style as-is, some files are released under
63 +# 3-clause BSD license
64 +LICENSE="ISC BSD"
65 +SLOT="0"
66 +IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey sssd system-digest"
67 +
68 +DEPEND="
69 + sys-libs/zlib:=
70 + ldap? (
71 + >=net-nds/openldap-2.1.30-r1
72 + sasl? (
73 + dev-libs/cyrus-sasl
74 + net-nds/openldap[sasl]
75 + )
76 + )
77 + pam? ( sys-libs/pam )
78 + sasl? ( dev-libs/cyrus-sasl )
79 + skey? ( >=sys-auth/skey-1.1.5-r1 )
80 + sssd? ( sys-auth/sssd[sudo] )
81 + system-digest? (
82 + gcrypt? ( dev-libs/libgcrypt:= )
83 + !gcrypt? (
84 + !libressl? ( dev-libs/openssl:0= )
85 + libressl? ( dev-libs/libressl:0= )
86 + )
87 + )
88 +"
89 +RDEPEND="
90 + ${DEPEND}
91 + >=app-misc/editor-wrapper-3
92 + virtual/editor
93 + ldap? ( dev-lang/perl )
94 + pam? ( sys-auth/pambase )
95 + selinux? ( sec-policy/selinux-sudo )
96 + sendmail? ( virtual/mta )
97 +"
98 +BDEPEND="
99 + sys-devel/bison
100 +"
101 +
102 +S="${WORKDIR}/${MY_P}"
103 +
104 +REQUIRED_USE="
105 + pam? ( !skey )
106 + skey? ( !pam )
107 +"
108 +
109 +MAKEOPTS+=" SAMPLES="
110 +
111 +src_prepare() {
112 + default
113 + elibtoolize
114 +}
115 +
116 +set_secure_path() {
117 + # FIXME: secure_path is a compile time setting. using PATH or
118 + # ROOTPATH is not perfect, env-update may invalidate this, but until it
119 + # is available as a sudoers setting this will have to do.
120 + einfo "Setting secure_path ..."
121 +
122 + # first extract the default ROOTPATH from build env
123 + SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
124 + echo "${ROOTPATH}")
125 + case "${SECURE_PATH}" in
126 + */usr/sbin*) ;;
127 + *) SECURE_PATH=$(unset PATH;
128 + . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
129 + ;;
130 + esac
131 + if [[ -z ${SECURE_PATH} ]] ; then
132 + ewarn " Failed to detect SECURE_PATH, please report this"
133 + fi
134 +
135 + # then remove duplicate path entries
136 + cleanpath() {
137 + local newpath thisp IFS=:
138 + for thisp in $1 ; do
139 + if [[ :${newpath}: != *:${thisp}:* ]] ; then
140 + newpath+=:${thisp}
141 + else
142 + einfo " Duplicate entry ${thisp} removed..."
143 + fi
144 + done
145 + SECURE_PATH=${newpath#:}
146 + }
147 + cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
148 +
149 + # finally, strip gcc paths #136027
150 + rmpath() {
151 + local e newpath thisp IFS=:
152 + for thisp in ${SECURE_PATH} ; do
153 + for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
154 + newpath+=:${thisp}
155 + done
156 + SECURE_PATH=${newpath#:}
157 + }
158 + rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
159 +
160 + einfo "... done"
161 +}
162 +
163 +src_configure() {
164 + local SECURE_PATH
165 + set_secure_path
166 +
167 + # audit: somebody got to explain me how I can test this before I
168 + # enable it.. - Diego
169 + # plugindir: autoconf code is crappy and does not delay evaluation
170 + # until `make` time, so we have to use a full path here rather than
171 + # basing off other values.
172 + myeconfargs=(
173 + --enable-zlib=system
174 + --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
175 + --with-editor="${EPREFIX}"/usr/libexec/editor
176 + --with-env-editor
177 + --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
178 + --with-rundir="${EPREFIX}"/run/sudo
179 + $(use_with secure-path secure-path "${SECURE_PATH}")
180 + --with-vardir="${EPREFIX}"/var/db/sudo
181 + --without-linux-audit
182 + --without-opie
183 + $(use_enable gcrypt)
184 + $(use_enable nls)
185 + $(use_enable sasl)
186 + $(use_with offensive insults)
187 + $(use_with offensive all-insults)
188 + $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
189 + $(use_with ldap)
190 + $(use_with pam)
191 + $(use_with skey)
192 + $(use_with sssd)
193 + $(use_with selinux)
194 + $(use_with sendmail)
195 + )
196 +
197 + if use system-digest && ! use gcrypt; then
198 + myeconfargs+=("--enable-openssl")
199 + else
200 + myeconfargs+=("--disable-openssl")
201 + fi
202 +
203 + econf "${myeconfargs[@]}"
204 +}
205 +
206 +src_install() {
207 + default
208 +
209 + if use ldap ; then
210 + dodoc README.LDAP
211 +
212 + cat <<-EOF > "${T}"/ldap.conf.sudo
213 + # See ldap.conf(5) and README.LDAP for details
214 + # This file should only be readable by root
215 +
216 + # supported directives: host, port, ssl, ldap_version
217 + # uri, binddn, bindpw, sudoers_base, sudoers_debug
218 + # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
219 + EOF
220 +
221 + if use sasl ; then
222 + cat <<-EOF >> "${T}"/ldap.conf.sudo
223 +
224 + # SASL directives: use_sasl, sasl_mech, sasl_auth_id
225 + # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
226 + EOF
227 + fi
228 +
229 + insinto /etc
230 + doins "${T}"/ldap.conf.sudo
231 + fperms 0440 /etc/ldap.conf.sudo
232 +
233 + insinto /etc/openldap/schema
234 + newins doc/schema.OpenLDAP sudo.schema
235 + fi
236 +
237 + pamd_mimic system-auth sudo auth account session
238 +
239 + keepdir /var/db/sudo/lectured
240 + fperms 0700 /var/db/sudo/lectured
241 + fperms 0711 /var/db/sudo #652958
242 +
243 + # Don't install into /run as that is a tmpfs most of the time
244 + # (bug #504854)
245 + rm -rf "${ED}"/run
246 +
247 + find "${ED}" -type f -name "*.la" -delete || die #697812
248 +}
249 +
250 +pkg_postinst() {
251 + tmpfiles_process sudo.conf
252 +
253 + #652958
254 + local sudo_db="${EROOT}/var/db/sudo"
255 + if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
256 + chmod 711 "${sudo_db}" || die
257 + fi
258 +
259 + if use ldap ; then
260 + ewarn
261 + ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
262 + ewarn
263 + if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
264 + ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
265 + ewarn "configured in /etc/nsswitch.conf."
266 + ewarn
267 + ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
268 + ewarn " sudoers: ldap files"
269 + ewarn
270 + fi
271 + fi
272 + if use prefix ; then
273 + ewarn
274 + ewarn "To use sudo, you need to change file ownership and permissions"
275 + ewarn "with root privileges, as follows:"
276 + ewarn
277 + ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
278 + ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
279 + ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
280 + ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
281 + ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
282 + ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
283 + ewarn
284 + fi
285 +
286 + elog "To use the -A (askpass) option, you need to install a compatible"
287 + elog "password program from the following list. Starred packages will"
288 + elog "automatically register for the use with sudo (but will not force"
289 + elog "the -A option):"
290 + elog ""
291 + elog " [*] net-misc/ssh-askpass-fullscreen"
292 + elog " net-misc/x11-ssh-askpass"
293 + elog ""
294 + elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
295 + elog "variable to the program you want to use."
296 +}