[gentoo-commits] gentoo-x86 commit in app-admin/sudo: ChangeLog sudo-1.7.1_beta5.ebuild sudo-1.7.1_beta4.ebuild - gentoo-commits

From:	"Diego Petteno (flameeyes)" <flameeyes@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-admin/sudo: ChangeLog sudo-1.7.1_beta5.ebuild sudo-1.7.1_beta4.ebuild
Date:	Mon, 30 Mar 2009 15:09:54
Message-Id:	`E1LoJ7X-0003PI-N9@stork.gentoo.org`

1

flameeyes    09/03/30 15:09:51

2

3

  Modified:             ChangeLog

4

  Added:                sudo-1.7.1_beta5.ebuild

5

  Removed:              sudo-1.7.1_beta4.ebuild

6

  Log:

7

  Bump development version.

8

  (Portage version: 2.2_rc27/cvs/Linux x86_64)

9

10

Revision  Changes    Path

11

1.168                app-admin/sudo/ChangeLog

12

13

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.168&view=markup

14

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.168&content-type=text/plain

15

diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.167&r2=1.168

16

17

Index: ChangeLog

18

===================================================================

19

RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v

20

retrieving revision 1.167

21

retrieving revision 1.168

22

diff -u -r1.167 -r1.168

23

--- ChangeLog	27 Mar 2009 18:38:20 -0000	1.167

24

+++ ChangeLog	30 Mar 2009 15:09:51 -0000	1.168

25

@@ -1,6 +1,12 @@

26

 # ChangeLog for app-admin/sudo

27

 # Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2

28

-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.167 2009/03/27 18:38:20 armin76 Exp $

29

+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.168 2009/03/30 15:09:51 flameeyes Exp $

30

+

31

+*sudo-1.7.1_beta5 (30 Mar 2009)

32

+

33

+  30 Mar 2009; Diego E. Pettenò <flameeyes@g.o>

34

+  -sudo-1.7.1_beta4.ebuild, +sudo-1.7.1_beta5.ebuild:

35

+  Bump development version.

36

37

   27 Mar 2009; Raúl Porcel <armin76@g.o> sudo-1.7.0.ebuild:

38

   m68k stable, thanks to kolla for testing

1.1                  app-admin/sudo/sudo-1.7.1_beta5.ebuild

43

44

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1_beta5.ebuild?rev=1.1&view=markup

45

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1_beta5.ebuild?rev=1.1&content-type=text/plain

46

47

Index: sudo-1.7.1_beta5.ebuild

48

===================================================================

49

# Copyright 1999-2009 Gentoo Foundation

50

# Distributed under the terms of the GNU General Public License v2

51

# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.1_beta5.ebuild,v 1.1 2009/03/30 15:09:51 flameeyes Exp $

52

53

inherit eutils pam confutils

54

55

MY_P=${P/_/}

56

MY_P=${MY_P/beta/b}

57

58

case "${P}" in

59

	*_beta* | *_rc*)

60

		uri_prefix=beta/

61

;;

62

*)

63

		uri_prefix=""

64

;;

65

esac

66

67

DESCRIPTION="Allows users or groups to run commands as other users"

68

HOMEPAGE="http://www.sudo.ws/"

69

SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"

70

LICENSE="Sudo"

71

SLOT="0"

72

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"

73

IUSE="pam skey offensive ldap selinux"

74

75

DEPEND="pam? ( virtual/pam )

76

	ldap? (

77

		>=net-nds/openldap-2.1.30-r1

78

		dev-libs/cyrus-sasl

79

)

80

	skey? ( >=sys-auth/skey-1.1.5-r1 )

81

	virtual/editor

82

	virtual/mta"

83

RDEPEND="selinux? ( sec-policy/selinux-sudo )

84

	ldap? ( dev-lang/perl )

85

	pam? ( sys-auth/pambase )

86

	${DEPEND}"

87

DEPEND="${DEPEND} sys-devel/bison"

88

89

S=${WORKDIR}/${MY_P}

90

91

pkg_setup() {

92

	confutils_use_conflict skey pam

93

}

94

95

src_unpack() {

96

	unpack ${A}; cd "${S}"

97

98

	# compatability fix.

99

	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff

100

101

	# additional variables to disallow, should user disable env_reset.

102

103

	# NOTE: this is not a supported mode of operation, these variables

104

	#       are added to the blacklist as a convenience to administrators

105

	#       who fail to heed the warnings of allowing untrusted users

106

	#       to access sudo.

107

#

108

	#       there is *no possible way* to foresee all attack vectors in

109

	#       all possible applications that could potentially be used via

110

	#       sudo, these settings will just delay the inevitable.

111

#

112

	#       that said, I will accept suggestions for variables that can

113

	#       be misused in _common_ interpreters or libraries, such as

114

	#       perl, bash, python, ruby, etc., in the hope of dissuading

115

	#       a casual attacker.

116

117

	# XXX: perl should be using suid_perl.

118

	# XXX: users can remove/add more via env_delete and env_check.

119

	# XXX: <?> = probably safe enough for most circumstances.

120

121

	einfo "Blacklisting common variables (env_delete)..."

122

		sudo_bad_var() {

123

			local target='env.c' marker='\*initial_badenv_table\[\]'

124

125

			ebegin "	$1"

126

			sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}

127

			eend $?

128

}

129

130

		sudo_bad_var 'PERLIO_DEBUG'   # perl, write debug to file.

131

		sudo_bad_var 'FPATH'          # ksh, search path for functions.

132

		sudo_bad_var 'NULLCMD'        # zsh, command on null-redir. <?>

133

		sudo_bad_var 'READNULLCMD'    # zsh, command on null-redir. <?>

134

		sudo_bad_var 'GLOBIGNORE'     # bash, glob paterns to ignore. <?>

135

		sudo_bad_var 'PYTHONHOME'     # python, module search path.

136

		sudo_bad_var 'PYTHONPATH'     # python, search path.

137

		sudo_bad_var 'PYTHONINSPECT'  # python, allow inspection.

138

		sudo_bad_var 'RUBYLIB'        # ruby, lib load path.

139

		sudo_bad_var 'RUBYOPT'        # ruby, cl options.

140

		sudo_bad_var 'ZDOTDIR'        # zsh, path to search for dotfiles.

141

	einfo "...done."

142

143

	# prevent binaries from being stripped.

144

	sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in

145

146

	# remove useless c++ checks

147

	epunt_cxx

148

}

149

150

src_compile() {

151

	local line ROOTPATH

152

153

	# FIXME: secure_path is a compile time setting. using ROOTPATH

154

	# is not perfect, env-update may invalidate this, but until it

155

	# is available as a sudoers setting this will have to do.

156

	einfo "Setting secure_path..."

157

158

		# why not use grep? variable might be expanded from other variables

159

		# declared in that file. cannot just source the file, would override

160

		# any variables already set.

161

		eval `PS4= bash -x /etc/profile.env 2>&1 | \

162

			while read line; do

163

				case $line in

164

					ROOTPATH=*) echo $line; break;;

165

					*) continue;;

166

				esac

167

			done`  && einfo "	Found ROOTPATH..." || \

168

				ewarn "	Failed to find ROOTPATH, please report this."

169

170

		# remove duplicate path entries from $1

171

		cleanpath() {

172

			local i=1 x n IFS=:

173

			local -a paths;	paths=($1)

174

175

			for ((n=${#paths[*]}-1;i<=n;i++)); do

176

				for ((x=0;x<i;x++)); do

177

					test "${paths[i]}" == "${paths[x]}" && {

178

						einfo "	Duplicate entry ${paths[i]} removed..." 1>&2

179

						unset paths[i]; continue 2; }

180

				done; # einfo "	Adding ${paths[i]}..." 1>&2

181

			done; echo "${paths[*]}"

182

}

183

184

		ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})

185

186

		# strip gcc path (bug #136027)

187

		rmpath() {

188

			declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:

189

			shift

190

			for thisp in $oldpath; do

191

				for e; do [[ $thisp == $e ]] && continue 2; done

192

				newpath=$newpath:$thisp

193

			done

194

			eval $PATHvar='${newpath#:}'

195

}

196

197

		rmpath ROOTPATH '*/gcc-bin/*'

198

199

	einfo "...done."

200

201

	# XXX: --disable-path-info closes an info leak, but may be confusing.

202

	# XXX: /bin/vi may not be available, make nano visudo's default.

203

	econf --with-secure-path="${ROOTPATH}" \

204

		--with-editor=/bin/nano \

205

		--with-env-editor \

206

		$(use_with offensive insults) \

207

		$(use_with offensive all-insults) \

208

		$(use_with pam) \

209

		$(use_with skey) \

210

		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \

211

		$(use_with ldap) || die

212

213

	emake || die

214

}

215

216

src_install() {

217

	emake DESTDIR="${D}" install || die

218

	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \

219

		UPGRADE WHATSNEW sample.sudoers sample.syslog.conf

220

221

	if use ldap; then

222

		dodoc README.LDAP schema.OpenLDAP

223

		dosbin sudoers2ldif

224

225

		cat - > "${T}"/ldap.conf.sudo <<EOF

226

# See ldap.conf(5) and README.LDAP for details\n"

227

# This file should only be readable by root\n\n"

228

# supported directives: host, port, ssl, ldap_version\n"

229

# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"

230

# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key

231

EOF

232

233

		insinto /etc

234

		doins "${T}"/ldap.conf.sudo

235

		fperms 0440 /etc/ldap.conf.sudo

236

fi

237

238

	pamd_mimic system-auth sudo auth account password session

239

240

	insinto /etc

241

	doins "${S}"/sudoers

242

	fperms 0440 /etc/sudoers

243

}

244

245

pkg_postinst() {

246

	if use ldap; then

247

		ewarn

248

		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."

249

		ewarn

250

		if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then

251

			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"

252

			ewarn "configured in /etc/nsswitch.conf."

253

			ewarn

254

			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"

255

			ewarn "  sudoers: ldap files"

256

			ewarn

257

fi

258

fi

259

}

1	flameeyes 09/03/30 15:09:51
2
3	Modified: ChangeLog
4	Added: sudo-1.7.1_beta5.ebuild
5	Removed: sudo-1.7.1_beta4.ebuild
6	Log:
7	Bump development version.
8	(Portage version: 2.2_rc27/cvs/Linux x86_64)
9
10	Revision Changes Path
11	1.168 app-admin/sudo/ChangeLog
12
13	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.168&view=markup
14	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.168&content-type=text/plain
15	diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.167&r2=1.168
16
17	Index: ChangeLog
18	===================================================================
19	RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v
20	retrieving revision 1.167
21	retrieving revision 1.168
22	diff -u -r1.167 -r1.168
23	--- ChangeLog 27 Mar 2009 18:38:20 -0000 1.167
24	+++ ChangeLog 30 Mar 2009 15:09:51 -0000 1.168
25	@@ -1,6 +1,12 @@
26	# ChangeLog for app-admin/sudo
27	# Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2
28	-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.167 2009/03/27 18:38:20 armin76 Exp $
29	+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.168 2009/03/30 15:09:51 flameeyes Exp $
30	+
31	+*sudo-1.7.1_beta5 (30 Mar 2009)
32	+
33	+ 30 Mar 2009; Diego E. Pettenò <flameeyes@g.o>
34	+ -sudo-1.7.1_beta4.ebuild, +sudo-1.7.1_beta5.ebuild:
35	+ Bump development version.
36
37	27 Mar 2009; Raúl Porcel <armin76@g.o> sudo-1.7.0.ebuild:
38	m68k stable, thanks to kolla for testing
39
40
41
42	1.1 app-admin/sudo/sudo-1.7.1_beta5.ebuild
43
44	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1_beta5.ebuild?rev=1.1&view=markup
45	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1_beta5.ebuild?rev=1.1&content-type=text/plain
46
47	Index: sudo-1.7.1_beta5.ebuild
48	===================================================================
49	# Copyright 1999-2009 Gentoo Foundation
50	# Distributed under the terms of the GNU General Public License v2
51	# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.1_beta5.ebuild,v 1.1 2009/03/30 15:09:51 flameeyes Exp $
52
53	inherit eutils pam confutils
54
55	MY_P=${P/_/}
56	MY_P=${MY_P/beta/b}
57
58	case "${P}" in
59	_beta \| _rc)
60	uri_prefix=beta/
61	;;
62	*)
63	uri_prefix=""
64	;;
65	esac
66
67	DESCRIPTION="Allows users or groups to run commands as other users"
68	HOMEPAGE="http://www.sudo.ws/"
69	SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
70	LICENSE="Sudo"
71	SLOT="0"
72	KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
73	IUSE="pam skey offensive ldap selinux"
74
75	DEPEND="pam? ( virtual/pam )
76	ldap? (
77	>=net-nds/openldap-2.1.30-r1
78	dev-libs/cyrus-sasl
79	)
80	skey? ( >=sys-auth/skey-1.1.5-r1 )
81	virtual/editor
82	virtual/mta"
83	RDEPEND="selinux? ( sec-policy/selinux-sudo )
84	ldap? ( dev-lang/perl )
85	pam? ( sys-auth/pambase )
86	${DEPEND}"
87	DEPEND="${DEPEND} sys-devel/bison"
88
89	S=${WORKDIR}/${MY_P}
90
91	pkg_setup() {
92	confutils_use_conflict skey pam
93	}
94
95	src_unpack() {
96	unpack ${A}; cd "${S}"
97
98	# compatability fix.
99	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
100
101	# additional variables to disallow, should user disable env_reset.
102
103	# NOTE: this is not a supported mode of operation, these variables
104	# are added to the blacklist as a convenience to administrators
105	# who fail to heed the warnings of allowing untrusted users
106	# to access sudo.
107	#
108	# there is no possible way to foresee all attack vectors in
109	# all possible applications that could potentially be used via
110	# sudo, these settings will just delay the inevitable.
111	#
112	# that said, I will accept suggestions for variables that can
113	# be misused in _common_ interpreters or libraries, such as
114	# perl, bash, python, ruby, etc., in the hope of dissuading
115	# a casual attacker.
116
117	# XXX: perl should be using suid_perl.
118	# XXX: users can remove/add more via env_delete and env_check.
119	# XXX: <?> = probably safe enough for most circumstances.
120
121	einfo "Blacklisting common variables (env_delete)..."
122	sudo_bad_var() {
123	local target='env.c' marker='\*initial_badenv_table\[\]'
124
125	ebegin " $1"
126	sed -i 's#\(^.'${marker}'.$\)#\1\n\t"'${1}'",#' "${S}"/${target}
127	eend $?
128	}
129
130	sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file.
131	sudo_bad_var 'FPATH' # ksh, search path for functions.
132	sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?>
133	sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?>
134	sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?>
135	sudo_bad_var 'PYTHONHOME' # python, module search path.
136	sudo_bad_var 'PYTHONPATH' # python, search path.
137	sudo_bad_var 'PYTHONINSPECT' # python, allow inspection.
138	sudo_bad_var 'RUBYLIB' # ruby, lib load path.
139	sudo_bad_var 'RUBYOPT' # ruby, cl options.
140	sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
141	einfo "...done."
142
143	# prevent binaries from being stripped.
144	sed -i 's/\($(INSTALL).\) -s \(.[(sudo\|visudo)]\)/\1 \2/g' Makefile.in
145
146	# remove useless c++ checks
147	epunt_cxx
148	}
149
150	src_compile() {
151	local line ROOTPATH
152
153	# FIXME: secure_path is a compile time setting. using ROOTPATH
154	# is not perfect, env-update may invalidate this, but until it
155	# is available as a sudoers setting this will have to do.
156	einfo "Setting secure_path..."
157
158	# why not use grep? variable might be expanded from other variables
159	# declared in that file. cannot just source the file, would override
160	# any variables already set.
161	eval `PS4= bash -x /etc/profile.env 2>&1 \| \
162	while read line; do
163	case $line in
164	ROOTPATH=*) echo $line; break;;
165	*) continue;;
166	esac
167	done` && einfo " Found ROOTPATH..." \|\| \
168	ewarn " Failed to find ROOTPATH, please report this."
169
170	# remove duplicate path entries from $1
171	cleanpath() {
172	local i=1 x n IFS=:
173	local -a paths; paths=($1)
174
175	for ((n=${#paths[*]}-1;i<=n;i++)); do
176	for ((x=0;x<i;x++)); do
177	test "${paths[i]}" == "${paths[x]}" && {
178	einfo " Duplicate entry ${paths[i]} removed..." 1>&2
179	unset paths[i]; continue 2; }
180	done; # einfo " Adding ${paths[i]}..." 1>&2
181	done; echo "${paths[*]}"
182	}
183
184	ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
185
186	# strip gcc path (bug #136027)
187	rmpath() {
188	declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
189	shift
190	for thisp in $oldpath; do
191	for e; do [[ $thisp == $e ]] && continue 2; done
192	newpath=$newpath:$thisp
193	done
194	eval $PATHvar='${newpath#:}'
195	}
196
197	rmpath ROOTPATH '/gcc-bin/'
198
199	einfo "...done."
200
201	# XXX: --disable-path-info closes an info leak, but may be confusing.
202	# XXX: /bin/vi may not be available, make nano visudo's default.
203	econf --with-secure-path="${ROOTPATH}" \
204	--with-editor=/bin/nano \
205	--with-env-editor \
206	$(use_with offensive insults) \
207	$(use_with offensive all-insults) \
208	$(use_with pam) \
209	$(use_with skey) \
210	$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
211	$(use_with ldap) \|\| die
212
213	emake \|\| die
214	}
215
216	src_install() {
217	emake DESTDIR="${D}" install \|\| die
218	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \
219	UPGRADE WHATSNEW sample.sudoers sample.syslog.conf
220
221	if use ldap; then
222	dodoc README.LDAP schema.OpenLDAP
223	dosbin sudoers2ldif
224
225	cat - > "${T}"/ldap.conf.sudo <<EOF
226	# See ldap.conf(5) and README.LDAP for details\n"
227	# This file should only be readable by root\n\n"
228	# supported directives: host, port, ssl, ldap_version\n"
229	# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
230	# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
231	EOF
232
233	insinto /etc
234	doins "${T}"/ldap.conf.sudo
235	fperms 0440 /etc/ldap.conf.sudo
236	fi
237
238	pamd_mimic system-auth sudo auth account password session
239
240	insinto /etc
241	doins "${S}"/sudoers
242	fperms 0440 /etc/sudoers
243	}
244
245	pkg_postinst() {
246	if use ldap; then
247	ewarn
248	ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
249	ewarn
250	if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
251	ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
252	ewarn "configured in /etc/nsswitch.conf."
253	ewarn
254	ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
255	ewarn " sudoers: ldap files"
256	ewarn
257	fi
258	fi
259	}

Gentoo Archives: gentoo-commits