[gentoo-commits] gentoo-x86 commit in app-admin/sudo: ChangeLog sudo-1.7.1-r1.ebuild sudo-1.7.1.ebuild - gentoo-commits

From:	"Diego Petteno (flameeyes)" <flameeyes@g.o>
To:	gentoo-commits@l.g.o
Subject:	[gentoo-commits] gentoo-x86 commit in app-admin/sudo: ChangeLog sudo-1.7.1-r1.ebuild sudo-1.7.1.ebuild
Date:	Fri, 24 Apr 2009 15:22:15
Message-Id:	`E1LxNEC-0005Wj-OS@stork.gentoo.org`

1

flameeyes    09/04/24 15:22:12

2

3

  Modified:             ChangeLog

4

  Added:                sudo-1.7.1-r1.ebuild

5

  Removed:              sudo-1.7.1.ebuild

6

  Log:

7

  Fix bug #266361, thanks to Todd (sudo's maintainer) for the patch.

8

  (Portage version: 2.2_rc31/cvs/Linux x86_64)

9

10

Revision  Changes    Path

11

1.173                app-admin/sudo/ChangeLog

12

13

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.173&view=markup

14

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.173&content-type=text/plain

15

diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.172&r2=1.173

16

17

Index: ChangeLog

18

===================================================================

19

RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v

20

retrieving revision 1.172

21

retrieving revision 1.173

22

diff -u -r1.172 -r1.173

23

--- ChangeLog	19 Apr 2009 16:12:02 -0000	1.172

24

+++ ChangeLog	24 Apr 2009 15:22:12 -0000	1.173

25

@@ -1,6 +1,12 @@

26

 # ChangeLog for app-admin/sudo

27

 # Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2

28

-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.172 2009/04/19 16:12:02 flameeyes Exp $

29

+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.173 2009/04/24 15:22:12 flameeyes Exp $

30

+

31

+*sudo-1.7.1-r1 (24 Apr 2009)

32

+

33

+  24 Apr 2009; Diego E. Pettenò <flameeyes@g.o>

34

+  +files/sudo-1.7.1-bug348.patch, -sudo-1.7.1.ebuild, +sudo-1.7.1-r1.ebuild:

35

+  Fix bug #266361, thanks to Todd (sudo's maintainer) for the patch.

36

37

 *sudo-1.7.1 (19 Apr 2009)

1.1                  app-admin/sudo/sudo-1.7.1-r1.ebuild

43

44

file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1-r1.ebuild?rev=1.1&view=markup

45

plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1-r1.ebuild?rev=1.1&content-type=text/plain

46

47

Index: sudo-1.7.1-r1.ebuild

48

===================================================================

49

# Copyright 1999-2009 Gentoo Foundation

50

# Distributed under the terms of the GNU General Public License v2

51

# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.1-r1.ebuild,v 1.1 2009/04/24 15:22:12 flameeyes Exp $

52

53

inherit eutils pam confutils

54

55

MY_P=${P/_/}

56

MY_P=${MY_P/beta/b}

57

58

case "${P}" in

59

	*_beta* | *_rc*)

60

		uri_prefix=beta/

61

;;

62

*)

63

		uri_prefix=""

64

;;

65

esac

66

67

DESCRIPTION="Allows users or groups to run commands as other users"

68

HOMEPAGE="http://www.sudo.ws/"

69

SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"

70

# Basic license is ISC-style as-is, some files are released under

71

# 3-clause BSD license

72

LICENSE="as-is BSD"

73

SLOT="0"

74

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"

75

IUSE="pam skey offensive ldap selinux"

76

77

DEPEND="pam? ( virtual/pam )

78

	ldap? (

79

		>=net-nds/openldap-2.1.30-r1

80

		dev-libs/cyrus-sasl

81

)

82

	skey? ( >=sys-auth/skey-1.1.5-r1 )

83

	virtual/editor

84

	virtual/mta"

85

RDEPEND="selinux? ( sec-policy/selinux-sudo )

86

	ldap? ( dev-lang/perl )

87

	pam? ( sys-auth/pambase )

88

	${DEPEND}"

89

DEPEND="${DEPEND} sys-devel/bison"

90

91

S=${WORKDIR}/${MY_P}

92

93

pkg_setup() {

94

	confutils_use_conflict skey pam

95

}

96

97

src_unpack() {

98

	unpack ${A}; cd "${S}"

99

100

	# compatability fix.

101

	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff

102

103

	# Bug #266361 (upstream bug #348)

104

	epatch "${FILESDIR}"/${P}-bug348.patch

105

106

	# additional variables to disallow, should user disable env_reset.

107

108

	# NOTE: this is not a supported mode of operation, these variables

109

	#       are added to the blacklist as a convenience to administrators

110

	#       who fail to heed the warnings of allowing untrusted users

111

	#       to access sudo.

112

#

113

	#       there is *no possible way* to foresee all attack vectors in

114

	#       all possible applications that could potentially be used via

115

	#       sudo, these settings will just delay the inevitable.

116

#

117

	#       that said, I will accept suggestions for variables that can

118

	#       be misused in _common_ interpreters or libraries, such as

119

	#       perl, bash, python, ruby, etc., in the hope of dissuading

120

	#       a casual attacker.

121

122

	# XXX: perl should be using suid_perl.

123

	# XXX: users can remove/add more via env_delete and env_check.

124

	# XXX: <?> = probably safe enough for most circumstances.

125

126

	einfo "Blacklisting common variables (env_delete)..."

127

		sudo_bad_var() {

128

			local target='env.c' marker='\*initial_badenv_table\[\]'

129

130

			ebegin "	$1"

131

			sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}

132

			eend $?

133

}

134

135

		sudo_bad_var 'PERLIO_DEBUG'   # perl, write debug to file.

136

		sudo_bad_var 'FPATH'          # ksh, search path for functions.

137

		sudo_bad_var 'NULLCMD'        # zsh, command on null-redir. <?>

138

		sudo_bad_var 'READNULLCMD'    # zsh, command on null-redir. <?>

139

		sudo_bad_var 'GLOBIGNORE'     # bash, glob paterns to ignore. <?>

140

		sudo_bad_var 'PYTHONHOME'     # python, module search path.

141

		sudo_bad_var 'PYTHONPATH'     # python, search path.

142

		sudo_bad_var 'PYTHONINSPECT'  # python, allow inspection.

143

		sudo_bad_var 'RUBYLIB'        # ruby, lib load path.

144

		sudo_bad_var 'RUBYOPT'        # ruby, cl options.

145

		sudo_bad_var 'ZDOTDIR'        # zsh, path to search for dotfiles.

146

	einfo "...done."

147

148

	# prevent binaries from being stripped.

149

	sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in

150

151

	# remove useless c++ checks

152

	epunt_cxx

153

}

154

155

src_compile() {

156

	local line ROOTPATH

157

158

	# FIXME: secure_path is a compile time setting. using ROOTPATH

159

	# is not perfect, env-update may invalidate this, but until it

160

	# is available as a sudoers setting this will have to do.

161

	einfo "Setting secure_path..."

162

163

		# why not use grep? variable might be expanded from other variables

164

		# declared in that file. cannot just source the file, would override

165

		# any variables already set.

166

		eval `PS4= bash -x /etc/profile.env 2>&1 | \

167

			while read line; do

168

				case $line in

169

					ROOTPATH=*) echo $line; break;;

170

					*) continue;;

171

				esac

172

			done`  && einfo "	Found ROOTPATH..." || \

173

				ewarn "	Failed to find ROOTPATH, please report this."

174

175

		# remove duplicate path entries from $1

176

		cleanpath() {

177

			local i=1 x n IFS=:

178

			local -a paths;	paths=($1)

179

180

			for ((n=${#paths[*]}-1;i<=n;i++)); do

181

				for ((x=0;x<i;x++)); do

182

					test "${paths[i]}" == "${paths[x]}" && {

183

						einfo "	Duplicate entry ${paths[i]} removed..." 1>&2

184

						unset paths[i]; continue 2; }

185

				done; # einfo "	Adding ${paths[i]}..." 1>&2

186

			done; echo "${paths[*]}"

187

}

188

189

		ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})

190

191

		# strip gcc path (bug #136027)

192

		rmpath() {

193

			declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:

194

			shift

195

			for thisp in $oldpath; do

196

				for e; do [[ $thisp == $e ]] && continue 2; done

197

				newpath=$newpath:$thisp

198

			done

199

			eval $PATHvar='${newpath#:}'

200

}

201

202

		rmpath ROOTPATH '*/gcc-bin/*'

203

204

	einfo "...done."

205

206

	# XXX: --disable-path-info closes an info leak, but may be confusing.

207

	# XXX: /bin/vi may not be available, make nano visudo's default.

208

	econf --with-secure-path="${ROOTPATH}" \

209

		--with-editor=/bin/nano \

210

		--with-env-editor \

211

		$(use_with offensive insults) \

212

		$(use_with offensive all-insults) \

213

		$(use_with pam) \

214

		$(use_with skey) \

215

		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \

216

		$(use_with ldap) || die

217

218

	emake || die

219

}

220

221

src_install() {

222

	emake DESTDIR="${D}" install || die

223

	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \

224

		UPGRADE WHATSNEW sample.sudoers sample.syslog.conf

225

226

	if use ldap; then

227

		dodoc README.LDAP schema.OpenLDAP

228

		dosbin sudoers2ldif

229

230

		cat - > "${T}"/ldap.conf.sudo <<EOF

231

# See ldap.conf(5) and README.LDAP for details\n"

232

# This file should only be readable by root\n\n"

233

# supported directives: host, port, ssl, ldap_version\n"

234

# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"

235

# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key

236

EOF

237

238

		insinto /etc

239

		doins "${T}"/ldap.conf.sudo

240

		fperms 0440 /etc/ldap.conf.sudo

241

fi

242

243

	pamd_mimic system-auth sudo auth account password session

244

245

	insinto /etc

246

	doins "${S}"/sudoers

247

	fperms 0440 /etc/sudoers

248

}

249

250

pkg_postinst() {

251

	if use ldap; then

252

		ewarn

253

		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."

254

		ewarn

255

		if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then

256

			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"

257

			ewarn "configured in /etc/nsswitch.conf."

258

			ewarn

259

			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"

260

			ewarn "  sudoers: ldap files"

261

			ewarn

262

fi

263

fi

264

}

1	flameeyes 09/04/24 15:22:12
2
3	Modified: ChangeLog
4	Added: sudo-1.7.1-r1.ebuild
5	Removed: sudo-1.7.1.ebuild
6	Log:
7	Fix bug #266361, thanks to Todd (sudo's maintainer) for the patch.
8	(Portage version: 2.2_rc31/cvs/Linux x86_64)
9
10	Revision Changes Path
11	1.173 app-admin/sudo/ChangeLog
12
13	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.173&view=markup
14	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?rev=1.173&content-type=text/plain
15	diff : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/ChangeLog?r1=1.172&r2=1.173
16
17	Index: ChangeLog
18	===================================================================
19	RCS file: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v
20	retrieving revision 1.172
21	retrieving revision 1.173
22	diff -u -r1.172 -r1.173
23	--- ChangeLog 19 Apr 2009 16:12:02 -0000 1.172
24	+++ ChangeLog 24 Apr 2009 15:22:12 -0000 1.173
25	@@ -1,6 +1,12 @@
26	# ChangeLog for app-admin/sudo
27	# Copyright 2002-2009 Gentoo Foundation; Distributed under the GPL v2
28	-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.172 2009/04/19 16:12:02 flameeyes Exp $
29	+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.173 2009/04/24 15:22:12 flameeyes Exp $
30	+
31	+*sudo-1.7.1-r1 (24 Apr 2009)
32	+
33	+ 24 Apr 2009; Diego E. Pettenò <flameeyes@g.o>
34	+ +files/sudo-1.7.1-bug348.patch, -sudo-1.7.1.ebuild, +sudo-1.7.1-r1.ebuild:
35	+ Fix bug #266361, thanks to Todd (sudo's maintainer) for the patch.
36
37	*sudo-1.7.1 (19 Apr 2009)
38
39
40
41
42	1.1 app-admin/sudo/sudo-1.7.1-r1.ebuild
43
44	file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1-r1.ebuild?rev=1.1&view=markup
45	plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/app-admin/sudo/sudo-1.7.1-r1.ebuild?rev=1.1&content-type=text/plain
46
47	Index: sudo-1.7.1-r1.ebuild
48	===================================================================
49	# Copyright 1999-2009 Gentoo Foundation
50	# Distributed under the terms of the GNU General Public License v2
51	# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.1-r1.ebuild,v 1.1 2009/04/24 15:22:12 flameeyes Exp $
52
53	inherit eutils pam confutils
54
55	MY_P=${P/_/}
56	MY_P=${MY_P/beta/b}
57
58	case "${P}" in
59	_beta \| _rc)
60	uri_prefix=beta/
61	;;
62	*)
63	uri_prefix=""
64	;;
65	esac
66
67	DESCRIPTION="Allows users or groups to run commands as other users"
68	HOMEPAGE="http://www.sudo.ws/"
69	SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
70	# Basic license is ISC-style as-is, some files are released under
71	# 3-clause BSD license
72	LICENSE="as-is BSD"
73	SLOT="0"
74	KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~sparc-fbsd ~x86 ~x86-fbsd"
75	IUSE="pam skey offensive ldap selinux"
76
77	DEPEND="pam? ( virtual/pam )
78	ldap? (
79	>=net-nds/openldap-2.1.30-r1
80	dev-libs/cyrus-sasl
81	)
82	skey? ( >=sys-auth/skey-1.1.5-r1 )
83	virtual/editor
84	virtual/mta"
85	RDEPEND="selinux? ( sec-policy/selinux-sudo )
86	ldap? ( dev-lang/perl )
87	pam? ( sys-auth/pambase )
88	${DEPEND}"
89	DEPEND="${DEPEND} sys-devel/bison"
90
91	S=${WORKDIR}/${MY_P}
92
93	pkg_setup() {
94	confutils_use_conflict skey pam
95	}
96
97	src_unpack() {
98	unpack ${A}; cd "${S}"
99
100	# compatability fix.
101	epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
102
103	# Bug #266361 (upstream bug #348)
104	epatch "${FILESDIR}"/${P}-bug348.patch
105
106	# additional variables to disallow, should user disable env_reset.
107
108	# NOTE: this is not a supported mode of operation, these variables
109	# are added to the blacklist as a convenience to administrators
110	# who fail to heed the warnings of allowing untrusted users
111	# to access sudo.
112	#
113	# there is no possible way to foresee all attack vectors in
114	# all possible applications that could potentially be used via
115	# sudo, these settings will just delay the inevitable.
116	#
117	# that said, I will accept suggestions for variables that can
118	# be misused in _common_ interpreters or libraries, such as
119	# perl, bash, python, ruby, etc., in the hope of dissuading
120	# a casual attacker.
121
122	# XXX: perl should be using suid_perl.
123	# XXX: users can remove/add more via env_delete and env_check.
124	# XXX: <?> = probably safe enough for most circumstances.
125
126	einfo "Blacklisting common variables (env_delete)..."
127	sudo_bad_var() {
128	local target='env.c' marker='\*initial_badenv_table\[\]'
129
130	ebegin " $1"
131	sed -i 's#\(^.'${marker}'.$\)#\1\n\t"'${1}'",#' "${S}"/${target}
132	eend $?
133	}
134
135	sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file.
136	sudo_bad_var 'FPATH' # ksh, search path for functions.
137	sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?>
138	sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?>
139	sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?>
140	sudo_bad_var 'PYTHONHOME' # python, module search path.
141	sudo_bad_var 'PYTHONPATH' # python, search path.
142	sudo_bad_var 'PYTHONINSPECT' # python, allow inspection.
143	sudo_bad_var 'RUBYLIB' # ruby, lib load path.
144	sudo_bad_var 'RUBYOPT' # ruby, cl options.
145	sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
146	einfo "...done."
147
148	# prevent binaries from being stripped.
149	sed -i 's/\($(INSTALL).\) -s \(.[(sudo\|visudo)]\)/\1 \2/g' Makefile.in
150
151	# remove useless c++ checks
152	epunt_cxx
153	}
154
155	src_compile() {
156	local line ROOTPATH
157
158	# FIXME: secure_path is a compile time setting. using ROOTPATH
159	# is not perfect, env-update may invalidate this, but until it
160	# is available as a sudoers setting this will have to do.
161	einfo "Setting secure_path..."
162
163	# why not use grep? variable might be expanded from other variables
164	# declared in that file. cannot just source the file, would override
165	# any variables already set.
166	eval `PS4= bash -x /etc/profile.env 2>&1 \| \
167	while read line; do
168	case $line in
169	ROOTPATH=*) echo $line; break;;
170	*) continue;;
171	esac
172	done` && einfo " Found ROOTPATH..." \|\| \
173	ewarn " Failed to find ROOTPATH, please report this."
174
175	# remove duplicate path entries from $1
176	cleanpath() {
177	local i=1 x n IFS=:
178	local -a paths; paths=($1)
179
180	for ((n=${#paths[*]}-1;i<=n;i++)); do
181	for ((x=0;x<i;x++)); do
182	test "${paths[i]}" == "${paths[x]}" && {
183	einfo " Duplicate entry ${paths[i]} removed..." 1>&2
184	unset paths[i]; continue 2; }
185	done; # einfo " Adding ${paths[i]}..." 1>&2
186	done; echo "${paths[*]}"
187	}
188
189	ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
190
191	# strip gcc path (bug #136027)
192	rmpath() {
193	declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
194	shift
195	for thisp in $oldpath; do
196	for e; do [[ $thisp == $e ]] && continue 2; done
197	newpath=$newpath:$thisp
198	done
199	eval $PATHvar='${newpath#:}'
200	}
201
202	rmpath ROOTPATH '/gcc-bin/'
203
204	einfo "...done."
205
206	# XXX: --disable-path-info closes an info leak, but may be confusing.
207	# XXX: /bin/vi may not be available, make nano visudo's default.
208	econf --with-secure-path="${ROOTPATH}" \
209	--with-editor=/bin/nano \
210	--with-env-editor \
211	$(use_with offensive insults) \
212	$(use_with offensive all-insults) \
213	$(use_with pam) \
214	$(use_with skey) \
215	$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
216	$(use_with ldap) \|\| die
217
218	emake \|\| die
219	}
220
221	src_install() {
222	emake DESTDIR="${D}" install \|\| die
223	dodoc ChangeLog HISTORY PORTING README TROUBLESHOOTING \
224	UPGRADE WHATSNEW sample.sudoers sample.syslog.conf
225
226	if use ldap; then
227	dodoc README.LDAP schema.OpenLDAP
228	dosbin sudoers2ldif
229
230	cat - > "${T}"/ldap.conf.sudo <<EOF
231	# See ldap.conf(5) and README.LDAP for details\n"
232	# This file should only be readable by root\n\n"
233	# supported directives: host, port, ssl, ldap_version\n"
234	# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
235	# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
236	EOF
237
238	insinto /etc
239	doins "${T}"/ldap.conf.sudo
240	fperms 0440 /etc/ldap.conf.sudo
241	fi
242
243	pamd_mimic system-auth sudo auth account password session
244
245	insinto /etc
246	doins "${S}"/sudoers
247	fperms 0440 /etc/sudoers
248	}
249
250	pkg_postinst() {
251	if use ldap; then
252	ewarn
253	ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
254	ewarn
255	if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
256	ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
257	ewarn "configured in /etc/nsswitch.conf."
258	ewarn
259	ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
260	ewarn " sudoers: ldap files"
261	ewarn
262	fi
263	fi
264	}

Gentoo Archives: gentoo-commits