Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Diego Petteno (flameeyes)" <flameeyes@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in app-admin/sudo: sudo-1.7.3_beta4.ebuild ChangeLog sudo-1.7.2_p2-r1.ebuild sudo-1.7.3_beta3.ebuild
Date: Thu, 24 Jun 2010 13:38:06
Message-Id: 20100624133804.3B78B2CF48@corvid.gentoo.org
1 flameeyes 10/06/24 13:38:04
2
3 Modified: ChangeLog sudo-1.7.2_p2-r1.ebuild
4 Added: sudo-1.7.3_beta4.ebuild
5 Removed: sudo-1.7.3_beta3.ebuild
6 Log:
7 Update to latest beta; drop all keywords but the two that haven't updated from the (very) old and unsafe sudo version. Remove a stray file.
8 (Portage version: 2.2_rc67/cvs/Linux x86_64)
9
10 Revision Changes Path
11 1.227 app-admin/sudo/ChangeLog
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.227&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.227&content-type=text/plain
15 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.226&r2=1.227
16
17 Index: ChangeLog
18 ===================================================================
19 RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v
20 retrieving revision 1.226
21 retrieving revision 1.227
22 diff -u -r1.226 -r1.227
23 --- ChangeLog 15 Jun 2010 22:17:19 -0000 1.226
24 +++ ChangeLog 24 Jun 2010 13:38:03 -0000 1.227
25 @@ -1,6 +1,14 @@
26 # ChangeLog for app-admin/sudo
27 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
28 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.226 2010/06/15 22:17:19 flameeyes Exp $
29 +# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.227 2010/06/24 13:38:03 flameeyes Exp $
30 +
31 +*sudo-1.7.3_beta4 (24 Jun 2010)
32 +
33 + 24 Jun 2010; Diego E. Pettenò <flameeyes@g.o>
34 + sudo-1.7.2_p2-r1.ebuild, -files/sudo-1.7.2p1-securepath.patch,
35 + -sudo-1.7.3_beta3.ebuild, +sudo-1.7.3_beta4.ebuild:
36 + Update to latest beta; drop all keywords but the two that haven't updated
37 + from the (very) old and unsafe sudo version. Remove a stray file.
38
39 *sudo-1.7.3_beta3 (15 Jun 2010)
40
41
42
43
44 1.2 app-admin/sudo/sudo-1.7.2_p2-r1.ebuild
45
46 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.7.2_p2-r1.ebuild?rev=1.2&view=markup
47 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.7.2_p2-r1.ebuild?rev=1.2&content-type=text/plain
48 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.7.2_p2-r1.ebuild?r1=1.1&r2=1.2
49
50 Index: sudo-1.7.2_p2-r1.ebuild
51 ===================================================================
52 RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.2_p2-r1.ebuild,v
53 retrieving revision 1.1
54 retrieving revision 1.2
55 diff -u -r1.1 -r1.2
56 --- sudo-1.7.2_p2-r1.ebuild 7 Dec 2009 23:19:36 -0000 1.1
57 +++ sudo-1.7.2_p2-r1.ebuild 24 Jun 2010 13:38:03 -0000 1.2
58 @@ -1,6 +1,6 @@
59 -# Copyright 1999-2009 Gentoo Foundation
60 +# Copyright 1999-2010 Gentoo Foundation
61 # Distributed under the terms of the GNU General Public License v2
62 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.2_p2-r1.ebuild,v 1.1 2009/12/07 23:19:36 flameeyes Exp $
63 +# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.2_p2-r1.ebuild,v 1.2 2010/06/24 13:38:03 flameeyes Exp $
64
65 inherit eutils pam confutils
66
67 @@ -23,7 +23,7 @@
68 # 3-clause BSD license
69 LICENSE="as-is BSD"
70 SLOT="0"
71 -KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
72 +KEYWORDS="~mips ~sparc-fbsd"
73 IUSE="pam skey offensive ldap selinux"
74
75 DEPEND="pam? ( virtual/pam )
76
77
78
79 1.1 app-admin/sudo/sudo-1.7.3_beta4.ebuild
80
81 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.7.3_beta4.ebuild?rev=1.1&view=markup
82 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.7.3_beta4.ebuild?rev=1.1&content-type=text/plain
83
84 Index: sudo-1.7.3_beta4.ebuild
85 ===================================================================
86 # Copyright 1999-2010 Gentoo Foundation
87 # Distributed under the terms of the GNU General Public License v2
88 # $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.3_beta4.ebuild,v 1.1 2010/06/24 13:38:03 flameeyes Exp $
89
90 inherit eutils pam confutils
91
92 MY_P=${P/_/}
93 MY_P=${MY_P/beta/b}
94
95 case "${P}" in
96 *_beta* | *_rc*)
97 uri_prefix=beta/
98 ;;
99 *)
100 uri_prefix=""
101 ;;
102 esac
103
104 DESCRIPTION="Allows users or groups to run commands as other users"
105 HOMEPAGE="http://www.sudo.ws/"
106 SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
107 # Basic license is ISC-style as-is, some files are released under
108 # 3-clause BSD license
109 LICENSE="as-is BSD"
110 SLOT="0"
111 KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
112 IUSE="pam skey offensive ldap selinux"
113
114 DEPEND="pam? ( virtual/pam )
115 ldap? (
116 >=net-nds/openldap-2.1.30-r1
117 dev-libs/cyrus-sasl
118 )
119 skey? ( >=sys-auth/skey-1.1.5-r1 )
120 app-editors/gentoo-editor
121 virtual/editor
122 virtual/mta"
123 RDEPEND="selinux? ( sec-policy/selinux-sudo )
124 ldap? ( dev-lang/perl )
125 pam? ( sys-auth/pambase )
126 ${DEPEND}"
127 DEPEND="${DEPEND} sys-devel/bison"
128
129 S=${WORKDIR}/${MY_P}
130
131 pkg_setup() {
132 confutils_use_conflict skey pam
133 }
134
135 src_unpack() {
136 unpack ${A}; cd "${S}"
137
138 # compatability fix.
139 epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
140
141 # additional variables to disallow, should user disable env_reset.
142
143 # NOTE: this is not a supported mode of operation, these variables
144 # are added to the blacklist as a convenience to administrators
145 # who fail to heed the warnings of allowing untrusted users
146 # to access sudo.
147 #
148 # there is *no possible way* to foresee all attack vectors in
149 # all possible applications that could potentially be used via
150 # sudo, these settings will just delay the inevitable.
151 #
152 # that said, I will accept suggestions for variables that can
153 # be misused in _common_ interpreters or libraries, such as
154 # perl, bash, python, ruby, etc., in the hope of dissuading
155 # a casual attacker.
156
157 # XXX: perl should be using suid_perl.
158 # XXX: users can remove/add more via env_delete and env_check.
159 # XXX: <?> = probably safe enough for most circumstances.
160
161 einfo "Blacklisting common variables (env_delete)..."
162 sudo_bad_var() {
163 local target='env.c' marker='\*initial_badenv_table\[\]'
164
165 ebegin " $1"
166 sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}
167 eend $?
168 }
169
170 sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file.
171 sudo_bad_var 'FPATH' # ksh, search path for functions.
172 sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?>
173 sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?>
174 sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?>
175 sudo_bad_var 'PYTHONHOME' # python, module search path.
176 sudo_bad_var 'PYTHONPATH' # python, search path.
177 sudo_bad_var 'PYTHONINSPECT' # python, allow inspection.
178 sudo_bad_var 'RUBYLIB' # ruby, lib load path.
179 sudo_bad_var 'RUBYOPT' # ruby, cl options.
180 sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
181 einfo "...done."
182
183 # prevent binaries from being stripped.
184 sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in
185 }
186
187 src_compile() {
188 local line ROOTPATH
189
190 # FIXME: secure_path is a compile time setting. using ROOTPATH
191 # is not perfect, env-update may invalidate this, but until it
192 # is available as a sudoers setting this will have to do.
193 einfo "Setting secure_path..."
194
195 # why not use grep? variable might be expanded from other variables
196 # declared in that file. cannot just source the file, would override
197 # any variables already set.
198 eval `PS4= bash -x /etc/profile.env 2>&1 | \
199 while read line; do
200 case $line in
201 ROOTPATH=*) echo $line; break;;
202 *) continue;;
203 esac
204 done` && einfo " Found ROOTPATH..." || \
205 ewarn " Failed to find ROOTPATH, please report this."
206
207 # remove duplicate path entries from $1
208 cleanpath() {
209 local i=1 x n IFS=:
210 local -a paths; paths=($1)
211
212 for ((n=${#paths[*]}-1;i<=n;i++)); do
213 for ((x=0;x<i;x++)); do
214 test "${paths[i]}" == "${paths[x]}" && {
215 einfo " Duplicate entry ${paths[i]} removed..." 1>&2
216 unset paths[i]; continue 2; }
217 done; # einfo " Adding ${paths[i]}..." 1>&2
218 done; echo "${paths[*]}"
219 }
220
221 ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
222
223 # strip gcc path (bug #136027)
224 rmpath() {
225 declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
226 shift
227 for thisp in $oldpath; do
228 for e; do [[ $thisp == $e ]] && continue 2; done
229 newpath=$newpath:$thisp
230 done
231 eval $PATHvar='${newpath#:}'
232 }
233
234 rmpath ROOTPATH '*/gcc-bin/*'
235
236 einfo "...done."
237
238 # XXX: --disable-path-info closes an info leak, but may be confusing.
239 # audit: somebody got to explain me how I can test this before I
240 # enable it.. — Diego
241 econf --with-secure-path="${ROOTPATH}" \
242 --with-editor=/usr/libexec/gentoo-editor \
243 --with-env-editor \
244 $(use_with offensive insults) \
245 $(use_with offensive all-insults) \
246 $(use_with pam) \
247 $(use_with skey) \
248 $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
249 $(use_with ldap) \
250 --without-linux-audit
251
252 emake || die
253 }
254
255 src_install() {
256 emake DESTDIR="${D}" install || die
257 dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \
258 UPGRADE WHATSNEW sample.sudoers sample.syslog.conf
259
260 if use ldap; then
261 dodoc README.LDAP schema.OpenLDAP
262 dosbin sudoers2ldif
263
264 cat - > "${T}"/ldap.conf.sudo <<EOF
265 # See ldap.conf(5) and README.LDAP for details\n"
266 # This file should only be readable by root\n\n"
267 # supported directives: host, port, ssl, ldap_version\n"
268 # uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
269 # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
270 EOF
271
272 insinto /etc
273 doins "${T}"/ldap.conf.sudo
274 fperms 0440 /etc/ldap.conf.sudo
275 fi
276
277 pamd_mimic system-auth sudo auth account password session
278
279 insinto /etc
280 doins "${S}"/sudoers
281 fperms 0440 /etc/sudoers
282 }
283
284 pkg_postinst() {
285 if use ldap; then
286 ewarn
287 ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
288 ewarn
289 if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
290 ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
291 ewarn "configured in /etc/nsswitch.conf."
292 ewarn
293 ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
294 ewarn " sudoers: ldap files"
295 ewarn
296 fi
297 fi
298
299 elog "To use the -A (askpass) option, you need to install a compatible"
300 elog "password program from the following list. Starred packages will"
301 elog "automatically register for the use with sudo (but will not force"
302 elog "the -A option):"
303 elog ""
304 elog " [*] net-misc/ssh-askpass-fullscreen"
305 elog " net-misc/x11-ssh-askpass"
306 elog ""
307 elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
308 elog "variable to the program you want to use."
309 }
Report Message
Find on MARC Find on Google Groups