Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status

Gentoo Archives: gentoo-commits

From: "Diego Petteno (flameeyes)" <flameeyes@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo-x86 commit in app-admin/sudo: sudo-1.7.5.ebuild ChangeLog sudo-1.8.0.ebuild
Date: Tue, 01 Mar 2011 17:59:48
Message-Id: 20110301175934.B680B2004F@flycatcher.gentoo.org
1 flameeyes 11/03/01 17:59:34
2
3 Modified: ChangeLog
4 Added: sudo-1.7.5.ebuild sudo-1.8.0.ebuild
5 Log:
6 Version bump; 1.8.0 is a big rewrite and thus is currently masked. S/Key support in 1.8 is gone, and it doesn't respect ldflags right now; tests seem also to be broken.
7
8 (Portage version: 2.2.0_alpha25/cvs/Linux x86_64)
9
10 Revision Changes Path
11 1.258 app-admin/sudo/ChangeLog
12
13 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.258&view=markup
14 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.258&content-type=text/plain
15 diff : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.257&r2=1.258
16
17 Index: ChangeLog
18 ===================================================================
19 RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v
20 retrieving revision 1.257
21 retrieving revision 1.258
22 diff -u -r1.257 -r1.258
23 --- ChangeLog 19 Jan 2011 14:56:41 -0000 1.257
24 +++ ChangeLog 1 Mar 2011 17:59:34 -0000 1.258
25 @@ -1,6 +1,15 @@
26 # ChangeLog for app-admin/sudo
27 # Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
28 -# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.257 2011/01/19 14:56:41 flameeyes Exp $
29 +# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.258 2011/03/01 17:59:34 flameeyes Exp $
30 +
31 +*sudo-1.8.0 (01 Mar 2011)
32 +*sudo-1.7.5 (01 Mar 2011)
33 +
34 + 01 Mar 2011; Diego E. Pettenò <flameeyes@g.o> +sudo-1.7.5.ebuild,
35 + +sudo-1.8.0.ebuild:
36 + Version bump; 1.8.0 is a big rewrite and thus is currently masked. S/Key
37 + support in 1.8 is gone, and it doesn't respect ldflags right now; tests seem
38 + also to be broken.
39
40 *sudo-1.7.4_p6 (19 Jan 2011)
41
42
43
44
45 1.1 app-admin/sudo/sudo-1.7.5.ebuild
46
47 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.7.5.ebuild?rev=1.1&view=markup
48 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.7.5.ebuild?rev=1.1&content-type=text/plain
49
50 Index: sudo-1.7.5.ebuild
51 ===================================================================
52 # Copyright 1999-2011 Gentoo Foundation
53 # Distributed under the terms of the GNU General Public License v2
54 # $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.5.ebuild,v 1.1 2011/03/01 17:59:34 flameeyes Exp $
55
56 inherit eutils pam
57
58 MY_P=${P/_/}
59 MY_P=${MY_P/beta/b}
60
61 case "${P}" in
62 *_beta* | *_rc*)
63 uri_prefix=beta/
64 ;;
65 *)
66 uri_prefix=""
67 ;;
68 esac
69
70 DESCRIPTION="Allows users or groups to run commands as other users"
71 HOMEPAGE="http://www.sudo.ws/"
72 SRC_URI="http://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
73 ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
74
75 # Basic license is ISC-style as-is, some files are released under
76 # 3-clause BSD license
77 LICENSE="as-is BSD"
78
79 SLOT="0"
80 KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
81 IUSE="pam skey offensive ldap selinux"
82
83 DEPEND="pam? ( virtual/pam )
84 ldap? (
85 >=net-nds/openldap-2.1.30-r1
86 dev-libs/cyrus-sasl
87 )
88 !pam? ( skey? ( >=sys-auth/skey-1.1.5-r1 ) )
89 app-editors/gentoo-editor
90 virtual/editor
91 virtual/mta"
92 RDEPEND="selinux? ( sec-policy/selinux-sudo )
93 ldap? ( dev-lang/perl )
94 pam? ( sys-auth/pambase )
95 ${DEPEND}"
96 DEPEND="${DEPEND}
97 sys-devel/bison"
98
99 S=${WORKDIR}/${MY_P}
100
101 pkg_setup() {
102 if use pam && use skey; then
103 ewarn "You cannot enable both S/KEY and PAM at the same time, PAM will"
104 ewarn "be used then."
105 fi
106 }
107
108 src_unpack() {
109 unpack ${A}; cd "${S}"
110
111 # compatability fix.
112 epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
113
114 # additional variables to disallow, should user disable env_reset.
115
116 # NOTE: this is not a supported mode of operation, these variables
117 # are added to the blacklist as a convenience to administrators
118 # who fail to heed the warnings of allowing untrusted users
119 # to access sudo.
120 #
121 # there is *no possible way* to foresee all attack vectors in
122 # all possible applications that could potentially be used via
123 # sudo, these settings will just delay the inevitable.
124 #
125 # that said, I will accept suggestions for variables that can
126 # be misused in _common_ interpreters or libraries, such as
127 # perl, bash, python, ruby, etc., in the hope of dissuading
128 # a casual attacker.
129
130 # XXX: perl should be using suid_perl.
131 # XXX: users can remove/add more via env_delete and env_check.
132 # XXX: <?> = probably safe enough for most circumstances.
133
134 einfo "Blacklisting common variables (env_delete)..."
135 sudo_bad_var() {
136 local target='env.c' marker='\*initial_badenv_table\[\]'
137
138 ebegin " $1"
139 sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}
140 eend $?
141 }
142
143 sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file.
144 sudo_bad_var 'FPATH' # ksh, search path for functions.
145 sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?>
146 sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?>
147 sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?>
148 sudo_bad_var 'PYTHONHOME' # python, module search path.
149 sudo_bad_var 'PYTHONPATH' # python, search path.
150 sudo_bad_var 'PYTHONINSPECT' # python, allow inspection.
151 sudo_bad_var 'RUBYLIB' # ruby, lib load path.
152 sudo_bad_var 'RUBYOPT' # ruby, cl options.
153 sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
154 einfo "...done."
155
156 # prevent binaries from being stripped.
157 sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in
158 }
159
160 src_compile() {
161 local line ROOTPATH
162
163 # FIXME: secure_path is a compile time setting. using ROOTPATH
164 # is not perfect, env-update may invalidate this, but until it
165 # is available as a sudoers setting this will have to do.
166 einfo "Setting secure_path..."
167
168 # why not use grep? variable might be expanded from other variables
169 # declared in that file. cannot just source the file, would override
170 # any variables already set.
171 eval `PS4= bash -x /etc/profile.env 2>&1 | \
172 while read line; do
173 case $line in
174 ROOTPATH=*) echo $line; break;;
175 *) continue;;
176 esac
177 done` && einfo " Found ROOTPATH..." || \
178 ewarn " Failed to find ROOTPATH, please report this."
179
180 # remove duplicate path entries from $1
181 cleanpath() {
182 local i=1 x n IFS=:
183 local -a paths; paths=($1)
184
185 for ((n=${#paths[*]}-1;i<=n;i++)); do
186 for ((x=0;x<i;x++)); do
187 test "${paths[i]}" == "${paths[x]}" && {
188 einfo " Duplicate entry ${paths[i]} removed..." 1>&2
189 unset paths[i]; continue 2; }
190 done; # einfo " Adding ${paths[i]}..." 1>&2
191 done; echo "${paths[*]}"
192 }
193
194 ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
195
196 # strip gcc path (bug #136027)
197 rmpath() {
198 declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
199 shift
200 for thisp in $oldpath; do
201 for e; do [[ $thisp == $e ]] && continue 2; done
202 newpath=$newpath:$thisp
203 done
204 eval $PATHvar='${newpath#:}'
205 }
206
207 rmpath ROOTPATH '*/gcc-bin/*'
208
209 einfo "...done."
210
211 if use pam; then
212 myconf="--with-pam --without-skey"
213 elif use skey; then
214 myconf="--without-pam --with-skey"
215 else
216 myconf="--without-pam --without-skey"
217 fi
218
219 # audit: somebody got to explain me how I can test this before I
220 # enable it.. — Diego
221 econf --with-secure-path="${ROOTPATH}" \
222 --with-editor=/usr/libexec/gentoo-editor \
223 --with-env-editor \
224 $(use_with offensive insults) \
225 $(use_with offensive all-insults) \
226 $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
227 $(use_with ldap) \
228 --without-linux-audit \
229 --with-timedir=/var/db/sudo \
230 --docdir=/usr/share/doc/${PF} \
231 ${myconf}
232
233 emake || die
234 }
235
236 src_install() {
237 emake DESTDIR="${D}" install || die
238
239 if use ldap; then
240 dodoc README.LDAP schema.OpenLDAP
241 dosbin sudoers2ldif
242
243 cat - > "${T}"/ldap.conf.sudo <<EOF
244 # See ldap.conf(5) and README.LDAP for details\n"
245 # This file should only be readable by root\n\n"
246 # supported directives: host, port, ssl, ldap_version\n"
247 # uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
248 # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
249 EOF
250
251 insinto /etc
252 doins "${T}"/ldap.conf.sudo
253 fperms 0440 /etc/ldap.conf.sudo
254 fi
255
256 pamd_mimic system-auth sudo auth account session
257
258 insinto /etc
259 doins "${S}"/sudoers
260 fperms 0440 /etc/sudoers
261
262 keepdir /var/db/sudo
263 fperms 0700 /var/db/sudo
264 }
265
266 pkg_postinst() {
267 if use ldap; then
268 ewarn
269 ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
270 ewarn
271 if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
272 ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
273 ewarn "configured in /etc/nsswitch.conf."
274 ewarn
275 ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
276 ewarn " sudoers: ldap files"
277 ewarn
278 fi
279 fi
280
281 elog "To use the -A (askpass) option, you need to install a compatible"
282 elog "password program from the following list. Starred packages will"
283 elog "automatically register for the use with sudo (but will not force"
284 elog "the -A option):"
285 elog ""
286 elog " [*] net-misc/ssh-askpass-fullscreen"
287 elog " net-misc/x11-ssh-askpass"
288 elog ""
289 elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
290 elog "variable to the program you want to use."
291 }
292
293
294
295 1.1 app-admin/sudo/sudo-1.8.0.ebuild
296
297 file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.8.0.ebuild?rev=1.1&view=markup
298 plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/app-admin/sudo/sudo-1.8.0.ebuild?rev=1.1&content-type=text/plain
299
300 Index: sudo-1.8.0.ebuild
301 ===================================================================
302 # Copyright 1999-2011 Gentoo Foundation
303 # Distributed under the terms of the GNU General Public License v2
304 # $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.8.0.ebuild,v 1.1 2011/03/01 17:59:34 flameeyes Exp $
305
306 inherit eutils pam
307
308 MY_P=${P/_/}
309 MY_P=${MY_P/beta/b}
310
311 case "${P}" in
312 *_beta* | *_rc*)
313 uri_prefix=beta/
314 ;;
315 *)
316 uri_prefix=""
317 ;;
318 esac
319
320 DESCRIPTION="Allows users or groups to run commands as other users"
321 HOMEPAGE="http://www.sudo.ws/"
322 SRC_URI="http://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
323 ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
324
325 # Basic license is ISC-style as-is, some files are released under
326 # 3-clause BSD license
327 LICENSE="as-is BSD"
328
329 SLOT="0"
330 KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
331 IUSE="pam offensive ldap selinux"
332
333 DEPEND="pam? ( virtual/pam )
334 ldap? (
335 >=net-nds/openldap-2.1.30-r1
336 dev-libs/cyrus-sasl
337 )
338 app-editors/gentoo-editor
339 virtual/editor
340 virtual/mta"
341 RDEPEND="selinux? ( sec-policy/selinux-sudo )
342 ldap? ( dev-lang/perl )
343 pam? ( sys-auth/pambase )
344 ${DEPEND}"
345 DEPEND="${DEPEND}
346 sys-devel/bison"
347
348 S=${WORKDIR}/${MY_P}
349
350 src_unpack() {
351 unpack ${A}; cd "${S}"
352
353 # additional variables to disallow, should user disable env_reset.
354
355 # NOTE: this is not a supported mode of operation, these variables
356 # are added to the blacklist as a convenience to administrators
357 # who fail to heed the warnings of allowing untrusted users
358 # to access sudo.
359 #
360 # there is *no possible way* to foresee all attack vectors in
361 # all possible applications that could potentially be used via
362 # sudo, these settings will just delay the inevitable.
363 #
364 # that said, I will accept suggestions for variables that can
365 # be misused in _common_ interpreters or libraries, such as
366 # perl, bash, python, ruby, etc., in the hope of dissuading
367 # a casual attacker.
368
369 # XXX: perl should be using suid_perl.
370 # XXX: users can remove/add more via env_delete and env_check.
371 # XXX: <?> = probably safe enough for most circumstances.
372
373 einfo "Blacklisting common variables (env_delete)..."
374 sudo_bad_var() {
375 local target='env.c' marker='\*initial_badenv_table\[\]'
376
377 ebegin " $1"
378 sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}
379 eend $?
380 }
381
382 sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file.
383 sudo_bad_var 'FPATH' # ksh, search path for functions.
384 sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?>
385 sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?>
386 sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?>
387 sudo_bad_var 'PYTHONHOME' # python, module search path.
388 sudo_bad_var 'PYTHONPATH' # python, search path.
389 sudo_bad_var 'PYTHONINSPECT' # python, allow inspection.
390 sudo_bad_var 'RUBYLIB' # ruby, lib load path.
391 sudo_bad_var 'RUBYOPT' # ruby, cl options.
392 sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
393 einfo "...done."
394
395 # prevent binaries from being stripped.
396 sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in
397 }
398
399 src_compile() {
400 local line ROOTPATH
401
402 # FIXME: secure_path is a compile time setting. using ROOTPATH
403 # is not perfect, env-update may invalidate this, but until it
404 # is available as a sudoers setting this will have to do.
405 einfo "Setting secure_path..."
406
407 # why not use grep? variable might be expanded from other variables
408 # declared in that file. cannot just source the file, would override
409 # any variables already set.
410 eval `PS4= bash -x /etc/profile.env 2>&1 | \
411 while read line; do
412 case $line in
413 ROOTPATH=*) echo $line; break;;
414 *) continue;;
415 esac
416 done` && einfo " Found ROOTPATH..." || \
417 ewarn " Failed to find ROOTPATH, please report this."
418
419 # remove duplicate path entries from $1
420 cleanpath() {
421 local i=1 x n IFS=:
422 local -a paths; paths=($1)
423
424 for ((n=${#paths[*]}-1;i<=n;i++)); do
425 for ((x=0;x<i;x++)); do
426 test "${paths[i]}" == "${paths[x]}" && {
427 einfo " Duplicate entry ${paths[i]} removed..." 1>&2
428 unset paths[i]; continue 2; }
429 done; # einfo " Adding ${paths[i]}..." 1>&2
430 done; echo "${paths[*]}"
431 }
432
433 ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
434
435 # strip gcc path (bug #136027)
436 rmpath() {
437 declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
438 shift
439 for thisp in $oldpath; do
440 for e; do [[ $thisp == $e ]] && continue 2; done
441 newpath=$newpath:$thisp
442 done
443 eval $PATHvar='${newpath#:}'
444 }
445
446 rmpath ROOTPATH '*/gcc-bin/*'
447
448 einfo "...done."
449
450 # audit: somebody got to explain me how I can test this before I
451 # enable it.. — Diego
452 econf --with-secure-path="${ROOTPATH}" \
453 --with-editor=/usr/libexec/gentoo-editor \
454 --with-env-editor \
455 $(use_with offensive insults) \
456 $(use_with offensive all-insults) \
457 $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
458 $(use_with ldap) \
459 $(use_with pam) \
460 --without-skey \
461 --without-linux-audit \
462 --with-timedir=/var/db/sudo \
463 --docdir=/usr/share/doc/${PF} \
464 ${myconf}
465
466 emake || die
467 }
468
469 src_install() {
470 emake DESTDIR="${D}" install || die
471
472 if use ldap; then
473 dodoc README.LDAP schema.OpenLDAP
474 dosbin sudoers2ldif
475
476 cat - > "${T}"/ldap.conf.sudo <<EOF
477 # See ldap.conf(5) and README.LDAP for details\n"
478 # This file should only be readable by root\n\n"
479 # supported directives: host, port, ssl, ldap_version\n"
480 # uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
481 # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
482 EOF
483
484 insinto /etc
485 doins "${T}"/ldap.conf.sudo
486 fperms 0440 /etc/ldap.conf.sudo
487 fi
488
489 pamd_mimic system-auth sudo auth account session
490
491 insinto /etc
492 doins "${S}"/sudoers
493 fperms 0440 /etc/sudoers
494
495 keepdir /var/db/sudo
496 fperms 0700 /var/db/sudo
497 }
498
499 pkg_postinst() {
500 if use ldap; then
501 ewarn
502 ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
503 ewarn
504 if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
505 ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
506 ewarn "configured in /etc/nsswitch.conf."
507 ewarn
508 ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
509 ewarn " sudoers: ldap files"
510 ewarn
511 fi
512 fi
513
514 elog "To use the -A (askpass) option, you need to install a compatible"
515 elog "password program from the following list. Starred packages will"
516 elog "automatically register for the use with sudo (but will not force"
517 elog "the -A option):"
518 elog ""
519 elog " [*] net-misc/ssh-askpass-fullscreen"
520 elog " net-misc/x11-ssh-askpass"
521 elog ""
522 elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
523 elog "variable to the program you want to use."
524 }
Report Message
Find on MARC Find on Google Groups