[gentoo-commits] gentoo-x86 commit in app-admin/sudo: ChangeLog sudo-1.7.2_p4.ebuild - gentoo-commits

From:	"Tobias Heinlein (keytoaster)" <keytoaster@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-admin/sudo: ChangeLog sudo-1.7.2_p4.ebuild
Date:	Thu, 25 Feb 2010 21:08:37
Message-Id:	`E1Nkkwl-0004w5-Pb@stork.gentoo.org`

1

keytoaster    10/02/25 21:08:35

2

3

  Modified:             ChangeLog

4

  Added:                sudo-1.7.2_p4.ebuild

5

  Log:

6

  Version bump, security bug #306865

7

  (Portage version: 2.2_rc63/cvs/Linux x86_64)

8

9

Revision  Changes    Path

10

1.208                app-admin/sudo/ChangeLog

11

12

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.208&view=markup

13

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.208&content-type=text/plain

14

diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.207&r2=1.208

15

16

Index: ChangeLog

17

===================================================================

18

RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v

19

retrieving revision 1.207

20

retrieving revision 1.208

21

diff -u -r1.207 -r1.208

22

--- ChangeLog	20 Feb 2010 18:58:22 -0000	1.207

23

+++ ChangeLog	25 Feb 2010 21:08:34 -0000	1.208

24

@@ -1,6 +1,12 @@

25

 # ChangeLog for app-admin/sudo

26

 # Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2

27

-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.207 2010/02/20 18:58:22 flameeyes Exp $

28

+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.208 2010/02/25 21:08:34 keytoaster Exp $

29

+

30

+*sudo-1.7.2_p4 (25 Feb 2010)

31

+

32

+  25 Feb 2010; Tobias Heinlein <keytoaster@g.o>

33

+  +sudo-1.7.2_p4.ebuild:

34

+  Version bump, security bug #306865

35

36

 *sudo-1.7.2_p3 (20 Feb 2010)

1.1                  app-admin/sudo/sudo-1.7.2_p4.ebuild

42

43

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.2_p4.ebuild?rev=1.1&view=markup

44

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.2_p4.ebuild?rev=1.1&content-type=text/plain

45

46

Index: sudo-1.7.2_p4.ebuild

47

===================================================================

48

# Copyright 1999-2010 Gentoo Foundation

49

# Distributed under the terms of the GNU General Public License v2

50

# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.2_p4.ebuild,v 1.1 2010/02/25 21:08:35 keytoaster Exp $

51

52

inherit eutils pam confutils

53

54

MY_P=${P/_/}

55

MY_P=${MY_P/beta/b}

56

57

case "${P}" in

58

	*_beta* | *_rc*)

59

		uri_prefix=beta/

60

;;

61

*)

62

		uri_prefix=""

63

;;

64

esac

65

66

DESCRIPTION="Allows users or groups to run commands as other users"

67

HOMEPAGE="http://www.sudo.ws/"

68

SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"

69

# Basic license is ISC-style as-is, some files are released under

70

# 3-clause BSD license

71

LICENSE="as-is BSD"

72

SLOT="0"

73

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"

74

IUSE="pam skey offensive ldap selinux"

75

76

DEPEND="pam? ( virtual/pam )

77

	ldap? (

78

		>=net-nds/openldap-2.1.30-r1

79

		dev-libs/cyrus-sasl

80

)

81

	skey? ( >=sys-auth/skey-1.1.5-r1 )

82

	app-editors/gentoo-editor

83

	virtual/editor

84

	virtual/mta"

85

RDEPEND="selinux? ( sec-policy/selinux-sudo )

86

	ldap? ( dev-lang/perl )

87

	pam? ( sys-auth/pambase )

88

	${DEPEND}"

89

DEPEND="${DEPEND} sys-devel/bison"

90

91

S=${WORKDIR}/${MY_P}

92

93

pkg_setup() {

94

	confutils_use_conflict skey pam

95

}

96

97

src_unpack() {

98

	unpack ${A}; cd "${S}"

99

100

	# compatability fix.

101

	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff

102

103

	# additional variables to disallow, should user disable env_reset.

104

105

	# NOTE: this is not a supported mode of operation, these variables

106

	#       are added to the blacklist as a convenience to administrators

107

	#       who fail to heed the warnings of allowing untrusted users

108

	#       to access sudo.

109

#

110

	#       there is *no possible way* to foresee all attack vectors in

111

	#       all possible applications that could potentially be used via

112

	#       sudo, these settings will just delay the inevitable.

113

#

114

	#       that said, I will accept suggestions for variables that can

115

	#       be misused in _common_ interpreters or libraries, such as

116

	#       perl, bash, python, ruby, etc., in the hope of dissuading

117

	#       a casual attacker.

118

119

	# XXX: perl should be using suid_perl.

120

	# XXX: users can remove/add more via env_delete and env_check.

121

	# XXX: <?> = probably safe enough for most circumstances.

122

123

	einfo "Blacklisting common variables (env_delete)..."

124

		sudo_bad_var() {

125

			local target='env.c' marker='\*initial_badenv_table\[\]'

126

127

			ebegin "	$1"

128

			sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}

129

			eend $?

130

}

131

132

		sudo_bad_var 'PERLIO_DEBUG'   # perl, write debug to file.

133

		sudo_bad_var 'FPATH'          # ksh, search path for functions.

134

		sudo_bad_var 'NULLCMD'        # zsh, command on null-redir. <?>

135

		sudo_bad_var 'READNULLCMD'    # zsh, command on null-redir. <?>

136

		sudo_bad_var 'GLOBIGNORE'     # bash, glob paterns to ignore. <?>

137

		sudo_bad_var 'PYTHONHOME'     # python, module search path.

138

		sudo_bad_var 'PYTHONPATH'     # python, search path.

139

		sudo_bad_var 'PYTHONINSPECT'  # python, allow inspection.

140

		sudo_bad_var 'RUBYLIB'        # ruby, lib load path.

141

		sudo_bad_var 'RUBYOPT'        # ruby, cl options.

142

		sudo_bad_var 'ZDOTDIR'        # zsh, path to search for dotfiles.

143

	einfo "...done."

144

145

	# prevent binaries from being stripped.

146

	sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in

147

}

148

149

src_compile() {

150

	local line ROOTPATH

151

152

	# FIXME: secure_path is a compile time setting. using ROOTPATH

153

	# is not perfect, env-update may invalidate this, but until it

154

	# is available as a sudoers setting this will have to do.

155

	einfo "Setting secure_path..."

156

157

		# why not use grep? variable might be expanded from other variables

158

		# declared in that file. cannot just source the file, would override

159

		# any variables already set.

160

		eval `PS4= bash -x /etc/profile.env 2>&1 | \

161

			while read line; do

162

				case $line in

163

					ROOTPATH=*) echo $line; break;;

164

					*) continue;;

165

				esac

166

			done`  && einfo "	Found ROOTPATH..." || \

167

				ewarn "	Failed to find ROOTPATH, please report this."

168

169

		# remove duplicate path entries from $1

170

		cleanpath() {

171

			local i=1 x n IFS=:

172

			local -a paths;	paths=($1)

173

174

			for ((n=${#paths[*]}-1;i<=n;i++)); do

175

				for ((x=0;x<i;x++)); do

176

					test "${paths[i]}" == "${paths[x]}" && {

177

						einfo "	Duplicate entry ${paths[i]} removed..." 1>&2

178

						unset paths[i]; continue 2; }

179

				done; # einfo "	Adding ${paths[i]}..." 1>&2

180

			done; echo "${paths[*]}"

181

}

182

183

		ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})

184

185

		# strip gcc path (bug #136027)

186

		rmpath() {

187

			declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:

188

			shift

189

			for thisp in $oldpath; do

190

				for e; do [[ $thisp == $e ]] && continue 2; done

191

				newpath=$newpath:$thisp

192

			done

193

			eval $PATHvar='${newpath#:}'

194

}

195

196

		rmpath ROOTPATH '*/gcc-bin/*'

197

198

	einfo "...done."

199

200

	# XXX: --disable-path-info closes an info leak, but may be confusing.

201

	econf --with-secure-path="${ROOTPATH}" \

202

		--with-editor=/usr/libexec/gentoo-editor \

203

		--with-env-editor \

204

		$(use_with offensive insults) \

205

		$(use_with offensive all-insults) \

206

		$(use_with pam) \

207

		$(use_with skey) \

208

		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \

209

		$(use_with ldap) || die

210

211

	emake || die

212

}

213

214

src_install() {

215

	emake DESTDIR="${D}" install || die

216

	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \

217

		UPGRADE WHATSNEW sample.sudoers sample.syslog.conf

218

219

	if use ldap; then

220

		dodoc README.LDAP schema.OpenLDAP

221

		dosbin sudoers2ldif

222

223

		cat - > "${T}"/ldap.conf.sudo <<EOF

224

# See ldap.conf(5) and README.LDAP for details\n"

225

# This file should only be readable by root\n\n"

226

# supported directives: host, port, ssl, ldap_version\n"

227

# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"

228

# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key

229

EOF

230

231

		insinto /etc

232

		doins "${T}"/ldap.conf.sudo

233

		fperms 0440 /etc/ldap.conf.sudo

234

fi

235

236

	pamd_mimic system-auth sudo auth account password session

237

238

	insinto /etc

239

	doins "${S}"/sudoers

240

	fperms 0440 /etc/sudoers

241

}

242

243

pkg_postinst() {

244

	if use ldap; then

245

		ewarn

246

		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."

247

		ewarn

248

		if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then

249

			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"

250

			ewarn "configured in /etc/nsswitch.conf."

251

			ewarn

252

			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"

253

			ewarn "  sudoers: ldap files"

254

			ewarn

255

fi

256

fi

257

258

	elog "To use the -A (askpass) option, you need to install a compatible"

259

	elog "password program from the following list. Starred packages will"

260

	elog "automatically register for the use with sudo (but will not force"

261

	elog "the -A option):"

262

	elog ""

263

	elog " [*] net-misc/ssh-askpass-fullscreen"

264

	elog "     net-misc/x11-ssh-askpass"

265

	elog ""

266

	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"

267

	elog "variable to the program you want to use."

268

}

1	keytoaster 10/02/25 21:08:35
2
3	Modified: ChangeLog
4	Added: sudo-1.7.2_p4.ebuild
5	Log:
6	Version bump, security bug #306865
7	(Portage version: 2.2_rc63/cvs/Linux x86_64)
8
9	Revision Changes Path
10	1.208 app-admin/sudo/ChangeLog
11
12	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.208&view=markup
13	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.208&content-type=text/plain
14	diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.207&r2=1.208
15
16	Index: ChangeLog
17	===================================================================
18	RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v
19	retrieving revision 1.207
20	retrieving revision 1.208
21	diff -u -r1.207 -r1.208
22	--- ChangeLog 20 Feb 2010 18:58:22 -0000 1.207
23	+++ ChangeLog 25 Feb 2010 21:08:34 -0000 1.208
24	@@ -1,6 +1,12 @@
25	# ChangeLog for app-admin/sudo
26	# Copyright 1999-2010 Gentoo Foundation; Distributed under the GPL v2
27	-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.207 2010/02/20 18:58:22 flameeyes Exp $
28	+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.208 2010/02/25 21:08:34 keytoaster Exp $
29	+
30	+*sudo-1.7.2_p4 (25 Feb 2010)
31	+
32	+ 25 Feb 2010; Tobias Heinlein <keytoaster@g.o>
33	+ +sudo-1.7.2_p4.ebuild:
34	+ Version bump, security bug #306865
35
36	*sudo-1.7.2_p3 (20 Feb 2010)
37
38
39
40
41	1.1 app-admin/sudo/sudo-1.7.2_p4.ebuild
42
43	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.2_p4.ebuild?rev=1.1&view=markup
44	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.2_p4.ebuild?rev=1.1&content-type=text/plain
45
46	Index: sudo-1.7.2_p4.ebuild
47	===================================================================
48	# Copyright 1999-2010 Gentoo Foundation
49	# Distributed under the terms of the GNU General Public License v2
50	# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.2_p4.ebuild,v 1.1 2010/02/25 21:08:35 keytoaster Exp $
51
52	inherit eutils pam confutils
53
54	MY_P=${P/_/}
55	MY_P=${MY_P/beta/b}
56
57	case "${P}" in
58	_beta \| _rc)
59	uri_prefix=beta/
60	;;
61	*)
62	uri_prefix=""
63	;;
64	esac
65
66	DESCRIPTION="Allows users or groups to run commands as other users"
67	HOMEPAGE="http://www.sudo.ws/"
68	SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
69	# Basic license is ISC-style as-is, some files are released under
70	# 3-clause BSD license
71	LICENSE="as-is BSD"
72	SLOT="0"
73	KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~x86-fbsd"
74	IUSE="pam skey offensive ldap selinux"
75
76	DEPEND="pam? ( virtual/pam )
77	ldap? (
78	>=net-nds/openldap-2.1.30-r1
79	dev-libs/cyrus-sasl
80	)
81	skey? ( >=sys-auth/skey-1.1.5-r1 )
82	app-editors/gentoo-editor
83	virtual/editor
84	virtual/mta"
85	RDEPEND="selinux? ( sec-policy/selinux-sudo )
86	ldap? ( dev-lang/perl )
87	pam? ( sys-auth/pambase )
88	${DEPEND}"
89	DEPEND="${DEPEND} sys-devel/bison"
90
91	S=${WORKDIR}/${MY_P}
92
93	pkg_setup() {
94	confutils_use_conflict skey pam
95	}
96
97	src_unpack() {
98	unpack ${A}; cd "${S}"
99
100	# compatability fix.
101	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
102
103	# additional variables to disallow, should user disable env_reset.
104
105	# NOTE: this is not a supported mode of operation, these variables
106	# are added to the blacklist as a convenience to administrators
107	# who fail to heed the warnings of allowing untrusted users
108	# to access sudo.
109	#
110	# there is no possible way to foresee all attack vectors in
111	# all possible applications that could potentially be used via
112	# sudo, these settings will just delay the inevitable.
113	#
114	# that said, I will accept suggestions for variables that can
115	# be misused in _common_ interpreters or libraries, such as
116	# perl, bash, python, ruby, etc., in the hope of dissuading
117	# a casual attacker.
118
119	# XXX: perl should be using suid_perl.
120	# XXX: users can remove/add more via env_delete and env_check.
121	# XXX: <?> = probably safe enough for most circumstances.
122
123	einfo "Blacklisting common variables (env_delete)..."
124	sudo_bad_var() {
125	local target='env.c' marker='\*initial_badenv_table\[\]'
126
127	ebegin " $1"
128	sed -i 's#\(^.'${marker}'.$\)#\1\n\t"'${1}'",#' "${S}"/${target}
129	eend $?
130	}
131
132	sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file.
133	sudo_bad_var 'FPATH' # ksh, search path for functions.
134	sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?>
135	sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?>
136	sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?>
137	sudo_bad_var 'PYTHONHOME' # python, module search path.
138	sudo_bad_var 'PYTHONPATH' # python, search path.
139	sudo_bad_var 'PYTHONINSPECT' # python, allow inspection.
140	sudo_bad_var 'RUBYLIB' # ruby, lib load path.
141	sudo_bad_var 'RUBYOPT' # ruby, cl options.
142	sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
143	einfo "...done."
144
145	# prevent binaries from being stripped.
146	sed -i 's/\($(INSTALL).\) -s \(.[(sudo\|visudo)]\)/\1 \2/g' Makefile.in
147	}
148
149	src_compile() {
150	local line ROOTPATH
151
152	# FIXME: secure_path is a compile time setting. using ROOTPATH
153	# is not perfect, env-update may invalidate this, but until it
154	# is available as a sudoers setting this will have to do.
155	einfo "Setting secure_path..."
156
157	# why not use grep? variable might be expanded from other variables
158	# declared in that file. cannot just source the file, would override
159	# any variables already set.
160	eval `PS4= bash -x /etc/profile.env 2>&1 \| \
161	while read line; do
162	case $line in
163	ROOTPATH=*) echo $line; break;;
164	*) continue;;
165	esac
166	done` && einfo " Found ROOTPATH..." \|\| \
167	ewarn " Failed to find ROOTPATH, please report this."
168
169	# remove duplicate path entries from $1
170	cleanpath() {
171	local i=1 x n IFS=:
172	local -a paths; paths=($1)
173
174	for ((n=${#paths[*]}-1;i<=n;i++)); do
175	for ((x=0;x<i;x++)); do
176	test "${paths[i]}" == "${paths[x]}" && {
177	einfo " Duplicate entry ${paths[i]} removed..." 1>&2
178	unset paths[i]; continue 2; }
179	done; # einfo " Adding ${paths[i]}..." 1>&2
180	done; echo "${paths[*]}"
181	}
182
183	ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
184
185	# strip gcc path (bug #136027)
186	rmpath() {
187	declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
188	shift
189	for thisp in $oldpath; do
190	for e; do [[ $thisp == $e ]] && continue 2; done
191	newpath=$newpath:$thisp
192	done
193	eval $PATHvar='${newpath#:}'
194	}
195
196	rmpath ROOTPATH '/gcc-bin/'
197
198	einfo "...done."
199
200	# XXX: --disable-path-info closes an info leak, but may be confusing.
201	econf --with-secure-path="${ROOTPATH}" \
202	--with-editor=/usr/libexec/gentoo-editor \
203	--with-env-editor \
204	$(use_with offensive insults) \
205	$(use_with offensive all-insults) \
206	$(use_with pam) \
207	$(use_with skey) \
208	$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
209	$(use_with ldap) \|\| die
210
211	emake \|\| die
212	}
213
214	src_install() {
215	emake DESTDIR="${D}" install \|\| die
216	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \
217	UPGRADE WHATSNEW sample.sudoers sample.syslog.conf
218
219	if use ldap; then
220	dodoc README.LDAP schema.OpenLDAP
221	dosbin sudoers2ldif
222
223	cat - > "${T}"/ldap.conf.sudo <<EOF
224	# See ldap.conf(5) and README.LDAP for details\n"
225	# This file should only be readable by root\n\n"
226	# supported directives: host, port, ssl, ldap_version\n"
227	# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
228	# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
229	EOF
230
231	insinto /etc
232	doins "${T}"/ldap.conf.sudo
233	fperms 0440 /etc/ldap.conf.sudo
234	fi
235
236	pamd_mimic system-auth sudo auth account password session
237
238	insinto /etc
239	doins "${S}"/sudoers
240	fperms 0440 /etc/sudoers
241	}
242
243	pkg_postinst() {
244	if use ldap; then
245	ewarn
246	ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
247	ewarn
248	if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
249	ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
250	ewarn "configured in /etc/nsswitch.conf."
251	ewarn
252	ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
253	ewarn " sudoers: ldap files"
254	ewarn
255	fi
256	fi
257
258	elog "To use the -A (askpass) option, you need to install a compatible"
259	elog "password program from the following list. Starred packages will"
260	elog "automatically register for the use with sudo (but will not force"
261	elog "the -A option):"
262	elog ""
263	elog " [*] net-misc/ssh-askpass-fullscreen"
264	elog " net-misc/x11-ssh-askpass"
265	elog ""
266	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
267	elog "variable to the program you want to use."
268	}

Gentoo Archives: gentoo-commits