[gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/ - gentoo-commits

From:	Lars Wendler <polynomial-c@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/
Date:	Sun, 13 Jan 2019 01:10:47
Message-Id:	`1547341830.94bfb597738bad84a823b5f086cb7ffa72675ef7.polynomial-c@gentoo`

1

commit:     94bfb597738bad84a823b5f086cb7ffa72675ef7

2

Author:     Karel Kočí <cynerd <AT> email <DOT> cz>

3

AuthorDate: Tue Dec  4 19:27:04 2018 +0000

4

Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>

5

CommitDate: Sun Jan 13 01:10:30 2019 +0000

6

URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94bfb597

7

8

app-admin/sudo: Add secure-path use

9

10

It makes sense to mask PATH variable when sudo is executed for secure

11

reasons with known secure content. Problem is that this is not common on

12

other distributions and in some cases it makes sense to allow user's

13

PATH to be used because it complicates common use of sudo such as:

14

sudo !!

15

This does not change default previous behavior. It just adds an use flag

16

to enabling secure-path that is in default enabled.

17

18

Bug: https://bugs.gentoo.org/672522

19

20

Signed-off-by: Karel Kočí <cynerd <AT> email.cz>

21

Closes: https://github.com/gentoo/gentoo/pull/10566

22

Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

23

24

 app-admin/sudo/metadata.xml          |   1 +

25

 app-admin/sudo/sudo-1.8.26-r1.ebuild | 243 +++++++++++++++++++++++++++++++++++

26

 2 files changed, 244 insertions(+)

27

28

diff --git a/app-admin/sudo/metadata.xml b/app-admin/sudo/metadata.xml

29

index 66a78473b2e..de20459ab49 100644

30

--- a/app-admin/sudo/metadata.xml

31

+++ b/app-admin/sudo/metadata.xml

32

@@ -17,6 +17,7 @@

33

 		<flag name="openssl">Use SHA2 from <pkg>dev-libs/openssl</pkg> instead of sudo's internal SHA2</flag>

34

 		<flag name="sendmail">Allow sudo to send emails with sendmail</flag>

35

 		<flag name="sssd">Add System Security Services Daemon support</flag>

36

+		<flag name="secure-path">Replace PATH variable with compile time secure paths</flag>

37

 	</use>

38

 	<upstream>

39

 		<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>

40

41

diff --git a/app-admin/sudo/sudo-1.8.26-r1.ebuild b/app-admin/sudo/sudo-1.8.26-r1.ebuild

42

new file mode 100644

43

index 00000000000..fd5b1a9c50b

44

--- /dev/null

45

+++ b/app-admin/sudo/sudo-1.8.26-r1.ebuild

46

@@ -0,0 +1,243 @@

47

+# Copyright 1999-2018 Gentoo Authors

48

+# Distributed under the terms of the GNU General Public License v2

49

+

50

+EAPI=6

51

+

52

+inherit eutils pam multilib libtool tmpfiles

53

+if [[ ${PV} == "9999" ]] ; then

54

+	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"

55

+	inherit mercurial

56

+fi

57

+

58

+MY_P=${P/_/}

59

+MY_P=${MY_P/beta/b}

60

+

61

+uri_prefix=

62

+case ${P} in

63

+	*_beta*|*_rc*) uri_prefix=beta/ ;;

64

+esac

65

+

66

+DESCRIPTION="Allows users or groups to run commands as other users"

67

+HOMEPAGE="https://www.sudo.ws/"

68

+if [[ ${PV} != "9999" ]] ; then

69

+	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz

70

+		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"

71

+	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then

72

+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~sparc-solaris"

73

+	fi

74

+fi

75

+

76

+# Basic license is ISC-style as-is, some files are released under

77

+# 3-clause BSD license

78

+LICENSE="ISC BSD"

79

+SLOT="0"

80

+IUSE="gcrypt ldap nls offensive openssl pam sasl +secure-path selinux +sendmail skey sssd"

81

+

82

+CDEPEND="

83

+	sys-libs/zlib:=

84

+	gcrypt? ( dev-libs/libgcrypt:= )

85

+	ldap? (

86

+		>=net-nds/openldap-2.1.30-r1

87

+		dev-libs/cyrus-sasl

88

+	)

89

+	openssl? ( dev-libs/openssl:0= )

90

+	pam? ( virtual/pam )

91

+	sasl? ( dev-libs/cyrus-sasl )

92

+	skey? ( >=sys-auth/skey-1.1.5-r1 )

93

+	sssd? ( sys-auth/sssd[sudo] )

94

+"

95

+RDEPEND="

96

+	${CDEPEND}

97

+	>=app-misc/editor-wrapper-3

98

+	virtual/editor

99

+	ldap? ( dev-lang/perl )

100

+	pam? ( sys-auth/pambase )

101

+	selinux? ( sec-policy/selinux-sudo )

102

+	sendmail? ( virtual/mta )

103

+"

104

+DEPEND="

105

+	${CDEPEND}

106

+	sys-devel/bison

107

+"

108

+

109

+S="${WORKDIR}/${MY_P}"

110

+

111

+REQUIRED_USE="

112

+	pam? ( !skey )

113

+	skey? ( !pam )

114

+	?? ( gcrypt openssl )

115

+"

116

+

117

+MAKEOPTS+=" SAMPLES="

118

+

119

+src_prepare() {

120

+	default

121

+	elibtoolize

122

+}

123

+

124

+set_secure_path() {

125

+	# FIXME: secure_path is a compile time setting. using PATH or

126

+	# ROOTPATH is not perfect, env-update may invalidate this, but until it

127

+	# is available as a sudoers setting this will have to do.

128

+	einfo "Setting secure_path ..."

129

+

130

+	# first extract the default ROOTPATH from build env

131

+	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;

132

+		echo "${ROOTPATH}")

133

+		case "${SECURE_PATH}" in

134

+			*/usr/sbin*) ;;

135

+			*) SECURE_PATH=$(unset PATH;

136

+				. "${EPREFIX}"/etc/profile.env; echo "${PATH}")

137

+				;;

138

+		esac

139

+	if [[ -z ${SECURE_PATH} ]] ; then

140

+		ewarn "	Failed to detect SECURE_PATH, please report this"

141

+	fi

142

+

143

+	# then remove duplicate path entries

144

+	cleanpath() {

145

+		local newpath thisp IFS=:

146

+		for thisp in $1 ; do

147

+			if [[ :${newpath}: != *:${thisp}:* ]] ; then

148

+				newpath+=:$thisp

149

+			else

150

+				einfo "   Duplicate entry ${thisp} removed..."

151

+			fi

152

+		done

153

+		SECURE_PATH=${newpath#:}

154

+	}

155

+	cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}

156

+

157

+	# finally, strip gcc paths #136027

158

+	rmpath() {

159

+		local e newpath thisp IFS=:

160

+		for thisp in ${SECURE_PATH} ; do

161

+			for e ; do [[ $thisp == $e ]] && continue 2 ; done

162

+			newpath+=:$thisp

163

+		done

164

+		SECURE_PATH=${newpath#:}

165

+	}

166

+	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'

167

+

168

+	einfo "... done"

169

+}

170

+

171

+src_configure() {

172

+	local SECURE_PATH

173

+	set_secure_path

174

+

175

+	# audit: somebody got to explain me how I can test this before I

176

+	# enable it.. - Diego

177

+	# plugindir: autoconf code is crappy and does not delay evaluation

178

+	# until `make` time, so we have to use a full path here rather than

179

+	# basing off other values.

180

+	myeconfargs=(

181

+		--enable-zlib=system

182

+		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d

183

+		--with-editor="${EPREFIX}"/usr/libexec/editor

184

+		--with-env-editor

185

+		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo

186

+		--with-rundir="${EPREFIX}"/run/sudo

187

+		$(use_with secure-path secure-path ${SECURE_PATH})

188

+		--with-secure-path="${SECURE_PATH}"

189

+		--with-vardir="${EPREFIX}"/var/db/sudo

190

+		--without-linux-audit

191

+		--without-opie

192

+		$(use_enable gcrypt)

193

+		$(use_enable nls)

194

+		$(use_enable openssl)

195

+		$(use_enable sasl)

196

+		$(use_with offensive insults)

197

+		$(use_with offensive all-insults)

198

+		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)

199

+		$(use_with ldap)

200

+		$(use_with pam)

201

+		$(use_with skey)

202

+		$(use_with sssd)

203

+		$(use_with selinux)

204

+		$(use_with sendmail)

205

+	)

206

+	econf "${myeconfargs[@]}"

207

+}

208

+

209

+src_install() {

210

+	default

211

+

212

+	if use ldap ; then

213

+		dodoc README.LDAP

214

+

215

+		cat <<-EOF > "${T}"/ldap.conf.sudo

216

+		# See ldap.conf(5) and README.LDAP for details

217

+		# This file should only be readable by root

218

+

219

+		# supported directives: host, port, ssl, ldap_version

220

+		# uri, binddn, bindpw, sudoers_base, sudoers_debug

221

+		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}

222

+		EOF

223

+

224

+		insinto /etc

225

+		doins "${T}"/ldap.conf.sudo

226

+		fperms 0440 /etc/ldap.conf.sudo

227

+

228

+		insinto /etc/openldap/schema

229

+		newins doc/schema.OpenLDAP sudo.schema

230

+	fi

231

+

232

+	pamd_mimic system-auth sudo auth account session

233

+

234

+	keepdir /var/db/sudo/lectured

235

+	fperms 0700 /var/db/sudo/lectured

236

+	fperms 0711 /var/db/sudo #652958

237

+

238

+	# Don't install into /run as that is a tmpfs most of the time

239

+	# (bug #504854)

240

+	rm -rf "${ED%/}"/run

241

+}

242

+

243

+pkg_postinst() {

244

+	tmpfiles_process sudo.conf

245

+

246

+	#652958

247

+	local sudo_db="${EROOT}/var/db/sudo"

248

+	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then

249

+		chmod 711 "${sudo_db}" || die

250

+	fi

251

+

252

+	if use ldap ; then

253

+		ewarn

254

+		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."

255

+		ewarn

256

+		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then

257

+			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"

258

+			ewarn "configured in /etc/nsswitch.conf."

259

+			ewarn

260

+			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"

261

+			ewarn "  sudoers: ldap files"

262

+			ewarn

263

+		fi

264

+	fi

265

+	if use prefix ; then

266

+		ewarn

267

+		ewarn "To use sudo, you need to change file ownership and permissions"

268

+		ewarn "with root privileges, as follows:"

269

+		ewarn

270

+		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"

271

+		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"

272

+		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"

273

+		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"

274

+		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"

275

+		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"

276

+		ewarn

277

+	fi

278

+

279

+	elog "To use the -A (askpass) option, you need to install a compatible"

280

+	elog "password program from the following list. Starred packages will"

281

+	elog "automatically register for the use with sudo (but will not force"

282

+	elog "the -A option):"

283

+	elog ""

284

+	elog " [*] net-misc/ssh-askpass-fullscreen"

285

+	elog "     net-misc/x11-ssh-askpass"

286

+	elog ""

287

+	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"

288

+	elog "variable to the program you want to use."

289

+}

1	commit: 94bfb597738bad84a823b5f086cb7ffa72675ef7
2	Author: Karel Kočí <cynerd <AT> email <DOT> cz>
3	AuthorDate: Tue Dec 4 19:27:04 2018 +0000
4	Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
5	CommitDate: Sun Jan 13 01:10:30 2019 +0000
6	URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=94bfb597
7
8	app-admin/sudo: Add secure-path use
9
10	It makes sense to mask PATH variable when sudo is executed for secure
11	reasons with known secure content. Problem is that this is not common on
12	other distributions and in some cases it makes sense to allow user's
13	PATH to be used because it complicates common use of sudo such as:
14	sudo !!
15	This does not change default previous behavior. It just adds an use flag
16	to enabling secure-path that is in default enabled.
17
18	Bug: https://bugs.gentoo.org/672522
19
20	Signed-off-by: Karel Kočí <cynerd <AT> email.cz>
21	Closes: https://github.com/gentoo/gentoo/pull/10566
22	Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
23
24	app-admin/sudo/metadata.xml \| 1 +
25	app-admin/sudo/sudo-1.8.26-r1.ebuild \| 243 +++++++++++++++++++++++++++++++++++
26	2 files changed, 244 insertions(+)
27
28	diff --git a/app-admin/sudo/metadata.xml b/app-admin/sudo/metadata.xml
29	index 66a78473b2e..de20459ab49 100644
30	--- a/app-admin/sudo/metadata.xml
31	+++ b/app-admin/sudo/metadata.xml
32	@@ -17,6 +17,7 @@
33	<flag name="openssl">Use SHA2 from <pkg>dev-libs/openssl</pkg> instead of sudo's internal SHA2</flag>
34	<flag name="sendmail">Allow sudo to send emails with sendmail</flag>
35	<flag name="sssd">Add System Security Services Daemon support</flag>
36	+ <flag name="secure-path">Replace PATH variable with compile time secure paths</flag>
37	</use>
38	<upstream>
39	<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>
40
41	diff --git a/app-admin/sudo/sudo-1.8.26-r1.ebuild b/app-admin/sudo/sudo-1.8.26-r1.ebuild
42	new file mode 100644
43	index 00000000000..fd5b1a9c50b
44	--- /dev/null
45	+++ b/app-admin/sudo/sudo-1.8.26-r1.ebuild
46	@@ -0,0 +1,243 @@
47	+# Copyright 1999-2018 Gentoo Authors
48	+# Distributed under the terms of the GNU General Public License v2
49	+
50	+EAPI=6
51	+
52	+inherit eutils pam multilib libtool tmpfiles
53	+if [[ ${PV} == "9999" ]] ; then
54	+ EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
55	+ inherit mercurial
56	+fi
57	+
58	+MY_P=${P/_/}
59	+MY_P=${MY_P/beta/b}
60	+
61	+uri_prefix=
62	+case ${P} in
63	+ _beta\|_rc) uri_prefix=beta/ ;;
64	+esac
65	+
66	+DESCRIPTION="Allows users or groups to run commands as other users"
67	+HOMEPAGE="https://www.sudo.ws/"
68	+if [[ ${PV} != "9999" ]] ; then
69	+ SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
70	+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
71	+ if [[ ${PV} != _beta ]] && [[ ${PV} != _rc ]] ; then
72	+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~sparc-solaris"
73	+ fi
74	+fi
75	+
76	+# Basic license is ISC-style as-is, some files are released under
77	+# 3-clause BSD license
78	+LICENSE="ISC BSD"
79	+SLOT="0"
80	+IUSE="gcrypt ldap nls offensive openssl pam sasl +secure-path selinux +sendmail skey sssd"
81	+
82	+CDEPEND="
83	+ sys-libs/zlib:=
84	+ gcrypt? ( dev-libs/libgcrypt:= )
85	+ ldap? (
86	+ >=net-nds/openldap-2.1.30-r1
87	+ dev-libs/cyrus-sasl
88	+ )
89	+ openssl? ( dev-libs/openssl:0= )
90	+ pam? ( virtual/pam )
91	+ sasl? ( dev-libs/cyrus-sasl )
92	+ skey? ( >=sys-auth/skey-1.1.5-r1 )
93	+ sssd? ( sys-auth/sssd[sudo] )
94	+"
95	+RDEPEND="
96	+ ${CDEPEND}
97	+ >=app-misc/editor-wrapper-3
98	+ virtual/editor
99	+ ldap? ( dev-lang/perl )
100	+ pam? ( sys-auth/pambase )
101	+ selinux? ( sec-policy/selinux-sudo )
102	+ sendmail? ( virtual/mta )
103	+"
104	+DEPEND="
105	+ ${CDEPEND}
106	+ sys-devel/bison
107	+"
108	+
109	+S="${WORKDIR}/${MY_P}"
110	+
111	+REQUIRED_USE="
112	+ pam? ( !skey )
113	+ skey? ( !pam )
114	+ ?? ( gcrypt openssl )
115	+"
116	+
117	+MAKEOPTS+=" SAMPLES="
118	+
119	+src_prepare() {
120	+ default
121	+ elibtoolize
122	+}
123	+
124	+set_secure_path() {
125	+ # FIXME: secure_path is a compile time setting. using PATH or
126	+ # ROOTPATH is not perfect, env-update may invalidate this, but until it
127	+ # is available as a sudoers setting this will have to do.
128	+ einfo "Setting secure_path ..."
129	+
130	+ # first extract the default ROOTPATH from build env
131	+ SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
132	+ echo "${ROOTPATH}")
133	+ case "${SECURE_PATH}" in
134	+ /usr/sbin) ;;
135	+ *) SECURE_PATH=$(unset PATH;
136	+ . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
137	+ ;;
138	+ esac
139	+ if [[ -z ${SECURE_PATH} ]] ; then
140	+ ewarn " Failed to detect SECURE_PATH, please report this"
141	+ fi
142	+
143	+ # then remove duplicate path entries
144	+ cleanpath() {
145	+ local newpath thisp IFS=:
146	+ for thisp in $1 ; do
147	+ if [[ :${newpath}: != :${thisp}: ]] ; then
148	+ newpath+=:$thisp
149	+ else
150	+ einfo " Duplicate entry ${thisp} removed..."
151	+ fi
152	+ done
153	+ SECURE_PATH=${newpath#:}
154	+ }
155	+ cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
156	+
157	+ # finally, strip gcc paths #136027
158	+ rmpath() {
159	+ local e newpath thisp IFS=:
160	+ for thisp in ${SECURE_PATH} ; do
161	+ for e ; do [[ $thisp == $e ]] && continue 2 ; done
162	+ newpath+=:$thisp
163	+ done
164	+ SECURE_PATH=${newpath#:}
165	+ }
166	+ rmpath '/gcc-bin/' '/gnat-gcc-bin/' '/gnat-gcc/'
167	+
168	+ einfo "... done"
169	+}
170	+
171	+src_configure() {
172	+ local SECURE_PATH
173	+ set_secure_path
174	+
175	+ # audit: somebody got to explain me how I can test this before I
176	+ # enable it.. - Diego
177	+ # plugindir: autoconf code is crappy and does not delay evaluation
178	+ # until `make` time, so we have to use a full path here rather than
179	+ # basing off other values.
180	+ myeconfargs=(
181	+ --enable-zlib=system
182	+ --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
183	+ --with-editor="${EPREFIX}"/usr/libexec/editor
184	+ --with-env-editor
185	+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
186	+ --with-rundir="${EPREFIX}"/run/sudo
187	+ $(use_with secure-path secure-path ${SECURE_PATH})
188	+ --with-secure-path="${SECURE_PATH}"
189	+ --with-vardir="${EPREFIX}"/var/db/sudo
190	+ --without-linux-audit
191	+ --without-opie
192	+ $(use_enable gcrypt)
193	+ $(use_enable nls)
194	+ $(use_enable openssl)
195	+ $(use_enable sasl)
196	+ $(use_with offensive insults)
197	+ $(use_with offensive all-insults)
198	+ $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
199	+ $(use_with ldap)
200	+ $(use_with pam)
201	+ $(use_with skey)
202	+ $(use_with sssd)
203	+ $(use_with selinux)
204	+ $(use_with sendmail)
205	+ )
206	+ econf "${myeconfargs[@]}"
207	+}
208	+
209	+src_install() {
210	+ default
211	+
212	+ if use ldap ; then
213	+ dodoc README.LDAP
214	+
215	+ cat <<-EOF > "${T}"/ldap.conf.sudo
216	+ # See ldap.conf(5) and README.LDAP for details
217	+ # This file should only be readable by root
218	+
219	+ # supported directives: host, port, ssl, ldap_version
220	+ # uri, binddn, bindpw, sudoers_base, sudoers_debug
221	+ # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
222	+ EOF
223	+
224	+ insinto /etc
225	+ doins "${T}"/ldap.conf.sudo
226	+ fperms 0440 /etc/ldap.conf.sudo
227	+
228	+ insinto /etc/openldap/schema
229	+ newins doc/schema.OpenLDAP sudo.schema
230	+ fi
231	+
232	+ pamd_mimic system-auth sudo auth account session
233	+
234	+ keepdir /var/db/sudo/lectured
235	+ fperms 0700 /var/db/sudo/lectured
236	+ fperms 0711 /var/db/sudo #652958
237	+
238	+ # Don't install into /run as that is a tmpfs most of the time
239	+ # (bug #504854)
240	+ rm -rf "${ED%/}"/run
241	+}
242	+
243	+pkg_postinst() {
244	+ tmpfiles_process sudo.conf
245	+
246	+ #652958
247	+ local sudo_db="${EROOT}/var/db/sudo"
248	+ if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
249	+ chmod 711 "${sudo_db}" \|\| die
250	+ fi
251	+
252	+ if use ldap ; then
253	+ ewarn
254	+ ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
255	+ ewarn
256	+ if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
257	+ ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
258	+ ewarn "configured in /etc/nsswitch.conf."
259	+ ewarn
260	+ ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
261	+ ewarn " sudoers: ldap files"
262	+ ewarn
263	+ fi
264	+ fi
265	+ if use prefix ; then
266	+ ewarn
267	+ ewarn "To use sudo, you need to change file ownership and permissions"
268	+ ewarn "with root privileges, as follows:"
269	+ ewarn
270	+ ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
271	+ ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
272	+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
273	+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
274	+ ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
275	+ ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
276	+ ewarn
277	+ fi
278	+
279	+ elog "To use the -A (askpass) option, you need to install a compatible"
280	+ elog "password program from the following list. Starred packages will"
281	+ elog "automatically register for the use with sudo (but will not force"
282	+ elog "the -A option):"
283	+ elog ""
284	+ elog " [*] net-misc/ssh-askpass-fullscreen"
285	+ elog " net-misc/x11-ssh-askpass"
286	+ elog ""
287	+ elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
288	+ elog "variable to the program you want to use."
289	+}

Gentoo Archives: gentoo-commits