summaryrefslogtreecommitdiffstats
path: root/etc
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--etc/codespell.exclude33
-rw-r--r--etc/codespell.ignore14
-rw-r--r--etc/codespell.skip25
-rw-r--r--etc/init.d/aix.sh.in25
-rw-r--r--etc/init.d/hpux.sh.in27
-rw-r--r--etc/init.d/sudo.conf.in6
-rw-r--r--etc/sudo-logsrvd.pp256
-rw-r--r--etc/sudo-python.pp149
-rw-r--r--etc/sudo.pp596
9 files changed, 1131 insertions, 0 deletions
diff --git a/etc/codespell.exclude b/etc/codespell.exclude
new file mode 100644
index 0000000..7814ba8
--- /dev/null
+++ b/etc/codespell.exclude
@@ -0,0 +1,33 @@
+ "You empty-headed animal food trough wiper!",
+ * Returns true if any tags set in nt differ between ot and nt, else false.
+#define TAGS_CHANGED(ot, nt) \
+ ((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \
+ (TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \
+ (TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output) || \
+ (TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \
+ (TAG_SET((nt).nopasswd) && (nt).nopasswd != (ot).nopasswd) || \
+ (TAG_SET((nt).setenv) && (nt).setenv != (ot).setenv) || \
+ (TAG_SET((nt).send_mail) && (nt).send_mail != (ot).send_mail))
+ sv sw ta te tg th tr uk ur vi wa wo zh_CN zh_HK
+ if (!PyArg_ParseTupleAndKeywords(py_args ? py_args : py_empty, py_kwargs, "Ois|i:sudo.ConvMessage", keywords,
+ $ans = <STDIN>;
+ if ($ans =~ /^[yY]/) {
+.nr BA @BAMAN@
+.if \n(BA \{\
+.Nd convert between sudoers file formats
+.Nd configuration for sudo front end
+.Nd execute a command as another user
+.Nd Sudo log server protocol
+.Nd configuration for sudo_logsrvd
+.Nd sudo event and I/O log server
+.Nd Sudo Plugin API
+.Nd Sudo Plugin API (Python)
+.Nd send sudo I/O log to log server
+.Nd sudo LDAP configuration
+.Nd default sudo security policy plugin
+.Nd Sudoers Time Stamp Format
+.Nd replay sudo session logs
+.Nd edit the sudoers file
+ * If path doesn't end in /, return true iff cmnd & path name the same inode;
+ * Tim Fraser
+ echo ".Nd sudo" >> conftest
diff --git a/etc/codespell.ignore b/etc/codespell.ignore
new file mode 100644
index 0000000..26d97a9
--- /dev/null
+++ b/etc/codespell.ignore
@@ -0,0 +1,14 @@
+Ois
+SOM
+VAS
+alloced
+edn
+fIDN
+ist
+numer
+pleas
+sav
+thur
+toke
+vas
+wit
diff --git a/etc/codespell.skip b/etc/codespell.skip
new file mode 100644
index 0000000..6fa6cf8
--- /dev/null
+++ b/etc/codespell.skip
@@ -0,0 +1,25 @@
+\.in\.sed$
+/data
+Makefile\.in
+^ChangeLog$
+^MANIFEST$
+^aclocal\.m4$
+^autogen\.sh$
+^config\.guess$
+^config\.h\.in$
+^config\.sub$
+^configure$
+^doc/.*\.man\.in$
+^doc/CONTRIBUTORS$
+^etc/codespell
+^lib/util/fnmatch\.c$
+^lib/util/getaddrinfo\.c$
+^lib/zlib/
+^libtool$
+^ltmain\.sh$
+^m4/libtool\.m4$
+^m4/lt.*\.m4$
+^mkinstalldirs$
+^plugins/sudoers/po/
+^po/
+^scripts/pp$
diff --git a/etc/init.d/aix.sh.in b/etc/init.d/aix.sh.in
new file mode 100644
index 0000000..3d11241
--- /dev/null
+++ b/etc/init.d/aix.sh.in
@@ -0,0 +1,25 @@
+#!/bin/sh
+#
+# Simple AIX rc.d script to remove the sudo timestamp directory on boot.
+# This is needed because AIX does not have /var/run.
+# Install as /etc/rc.d/init.d/sudo with a link /etc/rc.d/rc2.d/S90sudo
+#
+
+PATH=/usr/sbin:/usr/bin:/sbin
+export PATH
+
+TSDIR="@rundir@/ts"
+rval=0
+
+case "$1" in
+start)
+ echo "Removing the $TSDIR directory"
+ rm -rf "$TSDIR"
+ ;;
+*)
+ echo "usage: $0 start"
+ rval=1
+ ;;
+esac
+
+exit $rval
diff --git a/etc/init.d/hpux.sh.in b/etc/init.d/hpux.sh.in
new file mode 100644
index 0000000..5a76bd2
--- /dev/null
+++ b/etc/init.d/hpux.sh.in
@@ -0,0 +1,27 @@
+#!/sbin/sh
+#
+# Simple HP-UX init.d script to remove the sudo timestamp directory on boot.
+# This is needed because HP-UX does not clear /var/run on its own.
+# Install as /sbin/init.d/sudo with a link /sbin/rc2.d/S900sudo
+#
+
+PATH=/usr/sbin:/usr/bin:/sbin
+export PATH
+
+TSDIR="@rundir@/ts"
+rval=0
+
+case "$1" in
+start_msg)
+ echo "Removing the $TSDIR directory"
+ ;;
+start)
+ rm -rf "$TSDIR"
+ ;;
+*)
+ echo "usage: $0 {start|start_msg}"
+ rval=1
+ ;;
+esac
+
+exit $rval
diff --git a/etc/init.d/sudo.conf.in b/etc/init.d/sudo.conf.in
new file mode 100644
index 0000000..dfae56b
--- /dev/null
+++ b/etc/init.d/sudo.conf.in
@@ -0,0 +1,6 @@
+# Create an empty sudo time stamp directory on OSes using systemd.
+# Sudo will create the directory itself but this can cause problems
+# on systems that have SELinux enabled since the directories will be
+# created with the user's security context.
+d @rundir@ 0711 root root
+D @rundir@/ts 0700 root root
diff --git a/etc/sudo-logsrvd.pp b/etc/sudo-logsrvd.pp
new file mode 100644
index 0000000..663ae6d
--- /dev/null
+++ b/etc/sudo-logsrvd.pp
@@ -0,0 +1,256 @@
+%set
+ name="sudo-logsrvd"
+ summary="Sudo event and I/O log server"
+ description="The sudo_logsrvd daemon collects event and I/O logs \
+from sudo clients.
+This makes it possible to have all sudo I/O logs on a central server."
+ vendor="Todd C. Miller"
+ copyright="(c) 2019-2021 Todd C. Miller"
+
+%if [aix]
+ # Convert to 4 part version for AIX, including patch level
+ pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
+
+ # Don't allow sudo to prompt for a password
+ pp_aix_sudo="sudo -n"
+%endif
+
+%if [sd]
+ pp_sd_vendor_tag="TCM"
+%endif
+
+%if [solaris]
+ pp_solaris_name="TCM${name}"
+ pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
+%endif
+
+%if [macos]
+ # System Integrity Protection on macOS won't allow us to write
+ # directly to /etc or /var. We must install in /private instead.
+ case "$sysconfdir" in
+ /etc|/etc/*)
+ mkdir -p ${pp_destdir}/private
+ chmod 755 ${pp_destdir}/private
+ if test -d ${pp_destdir}/etc; then
+ mv ${pp_destdir}/etc ${pp_destdir}/private/etc
+ fi
+ sysconfdir="/private${sysconfdir}"
+ ;;
+ esac
+ case "$vardir" in
+ /var|/var/*)
+ mkdir -p ${pp_destdir}/private
+ chmod 755 ${pp_destdir}/private
+ if test -d ${pp_destdir}/var; then
+ mv ${pp_destdir}/var ${pp_destdir}/private/var
+ fi
+ vardir="/private${vardir}"
+ ;;
+ esac
+ case "$rundir" in
+ /var|/var/*)
+ mkdir -p ${pp_destdir}/private
+ chmod 755 ${pp_destdir}/private
+ if test -d ${pp_destdir}/var; then
+ mv ${pp_destdir}/var ${pp_destdir}/private/var
+ fi
+ rundir="/private${rundir}"
+ ;;
+ esac
+%endif
+
+%if [rpm,deb]
+ # Convert patch level into release and remove from version
+ pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`"
+ pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`"
+ pp_rpm_license="BSD"
+ pp_rpm_url="https://www.sudo.ws"
+ pp_rpm_group="Applications/System"
+ pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>"
+%else
+ # We install sudo_logsrvd.conf from the example dir during post-install
+ rm -f ${pp_destdir}$sysconfdir/sudo_logsrvd.conf
+%endif
+
+ # Stash original docdir and exampledir
+ odocdir="${docdir}"
+ oexampledir="${exampledir}"
+
+ # For RedHat the doc dir is expected to include version and release
+ case "$pp_rpm_distro" in
+ centos*|rhel*|f[0-9]*)
+ docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}"
+ exampledir="${docdir}/examples"
+ ;;
+ esac
+
+ # docdir and exampledir are installed with "sudo" as the package
+ # name which may not be correct.
+ docdir="`echo \"${docdir}\" | sed \"s#/sudo#/${name}#g\"`"
+ exampledir="`echo \"${exampledir}\" | sed \"s#/sudo#/${name}#g\"`"
+
+ # Copy docdir and exampledir to new names if needed
+ if test ! -d "${pp_destdir}${docdir}"; then
+ cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir}
+ find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
+ fi
+ if test ! -d "${pp_destdir}${exampledir}"; then
+ cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir}
+ find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
+ fi
+
+%if [deb]
+ pp_deb_maintainer="$pp_rpm_packager"
+ pp_deb_release="$pp_rpm_release"
+ pp_deb_version="$pp_rpm_version"
+ pp_deb_section=admin
+ install -D -m 644 ${pp_destdir}$docdir/LICENSE ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright
+ install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
+ gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
+ printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ # Create lintian override file
+ mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides
+ cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF
+ # Sudo ships with debugging symbols
+ $name: unstripped-binary-or-object
+ EOF
+ chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name}
+%endif
+
+%if [rpm]
+ # Add distro info to release
+ osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'`
+ case "$pp_rpm_distro" in
+ centos*|rhel*|f[0-9]*)
+ pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
+ ;;
+ sles*)
+ pp_rpm_release="$pp_rpm_release.sles$osrelease"
+ ;;
+ esac
+%endif
+
+%if [macos]
+ pp_macos_bundle_id=ws.sudo.pkg.sudo-logsrvd
+ pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE
+ pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt
+ pp_macos_pkg_type=flat
+ perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt
+%endif
+
+%if X"$aix_freeware" = X"true"
+ # Create links from /opt/freeware/sbin -> /usr/sbin
+ mkdir -p ${pp_destdir}/usr/sbin
+ ln -s -f ${sbindir}/sudo_logsrvd ${pp_destdir}/usr/sbin
+%endif
+
+ # Package parent directories when not installing under /usr
+ if test "${prefix}" != "/usr"; then
+ extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"`
+ extradirs="$extradirs `dirname $docdir` `dirname $rundir`"
+ test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`"
+ for dir in $sbindir $extradirs; do
+ while test "$dir" != "/"; do
+ parentdirs="${parentdirs}${parentdirs+ }$dir/"
+ dir=`dirname $dir`
+ done
+ done
+ parentdirs=`echo $parentdirs | tr " " "\n" | sort -u`
+ fi
+
+%depend [deb]
+ libc6, zlib1g, sudo
+
+%fixup [deb]
+ if test -n "%{libssl_dep}"; then
+ DEPENDS="%{libssl_dep}"
+ cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$
+ sed "s/^\(Depends:.*\) *$/\1, ${DEPENDS}/" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control
+ rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$
+ fi
+ echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+
+%fixup [rpm]
+ cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF'
+ /^%files/ {
+ i\
+ %clean\
+ :\
+
+ }
+ EOF
+ mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak
+ sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec
+
+%files
+ /** ignore
+%if X"$parentdirs" != X""
+ $parentdirs - ignore-others
+%endif
+ $sbindir/sudo_logsrvd 0755 ignore-others
+ $mandir/man*/*logsrv* 0644 ignore-others
+ $rundir/ 0711 root: ignore-others
+ $docdir/ 0755 ignore-others
+ $exampledir/ 0755 ignore-others
+ $exampledir/*logsrv* 0644 ignore-others
+%if [rpm,deb]
+ $sysconfdir/sudo_logsrvd.conf 0644 root: volatile,ignore-others
+%endif
+%if X"$aix_freeware" = X"true"
+ # Links for binaries from /opt/freeware to /usr
+ /usr/sbin/sudo_logsrvd 0755 root: symlink,ignore-others $sbindir/logsrvd
+%endif
+
+%post [!rpm,deb]
+ # Don't overwrite existing sudo_logsrvd.conf files
+%if [solaris]
+ sysconfdir=${PKG_INSTALL_ROOT}%{sysconfdir}
+ exampledir=${PKG_INSTALL_ROOT}%{exampledir}
+%else
+ sysconfdir=%{sysconfdir}
+ exampledir=%{exampledir}
+%endif
+ if test ! -r $sysconfdir/sudo_logsrvd.conf; then
+ cp $exampledir/sudo_logsrvd.conf $sysconfdir/sudo_logsrvd.conf
+ chmod 644 $sysconfdir/sudo_logsrvd.conf
+ chown root $sysconfdir/sudo_logsrvd.conf
+ fi
+
+%service sudo_logsrvd
+%if [aix,macos]
+ cmd="${sbindir}/sudo_logsrvd -n"
+%else
+ cmd=${sbindir}/sudo_logsrvd
+ pidfile=${rundir}/sudo_logsrvd.pid
+%endif
+%if [macos]
+ pp_macos_service_id=ws.sudo.sudo_logsrvd
+%endif
+%if [rpm,deb]
+ # Only include systemd support if it exists on the build machine.
+ # This assumes that we are building on the same distro that the
+ # package will be installed on (which is the case for sudo).
+ if test -d /etc/systemd; then
+ for d in `pkg-config systemd --variable=systemdsystemunitdir 2>/dev/null` /lib/systemd/system /usr/lib/systemd/system; do
+ if test -d "$d"; then
+ break
+ fi
+ done
+ pp_systemd_service_description="Sudo central log server"
+ pp_systemd_service_dir="$d"
+ pp_systemd_service_exec="${cmd}"
+ pp_systemd_service_exec_args="-n"
+ pp_systemd_service_man="man:sudo_logsrvd(8) man:sudo_logsrvd.conf(5)"
+ pp_systemd_service_documentation="https://www.sudo.ws/man.html"
+ pp_systemd_service_after="syslog.target network.target auditd.service"
+ pp_systemd_service_killmode="process"
+ pp_systemd_service_type="exec"
+ pp_systemd_system_target="multi-user.target"
+ else
+ # No systemd support
+ pp_systemd_disabled=true
+ fi
+%endif
diff --git a/etc/sudo-python.pp b/etc/sudo-python.pp
new file mode 100644
index 0000000..fac3b34
--- /dev/null
+++ b/etc/sudo-python.pp
@@ -0,0 +1,149 @@
+%set
+ name="sudo-python"
+ summary="Sudo Python plugin framework"
+ description="The sudo Python plugin allows you to extend sudo using Python."
+ vendor="Todd C. Miller"
+ copyright="(c) 2019-2021 Todd C. Miller"
+
+%if [aix]
+ # Convert to 4 part version for AIX, including patch level
+ pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
+
+ # Don't allow sudo to prompt for a password
+ pp_aix_sudo="sudo -n"
+%endif
+
+%if [sd]
+ pp_sd_vendor_tag="TCM"
+%endif
+
+%if [solaris]
+ pp_solaris_name="TCM${name}"
+ pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
+%endif
+
+%if [rpm,deb]
+ # Convert patch level into release and remove from version
+ pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`"
+ pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`"
+ pp_rpm_license="BSD"
+ pp_rpm_url="https://www.sudo.ws"
+ pp_rpm_group="Applications/System"
+ pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>"
+%endif
+
+ # Stash original docdir and exampledir
+ odocdir="${docdir}"
+ oexampledir="${exampledir}"
+
+ # For RedHat the doc dir is expected to include version and release
+ case "$pp_rpm_distro" in
+ centos*|rhel*|f[0-9]*)
+ docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}"
+ exampledir="${docdir}/examples"
+ ;;
+ esac
+
+ # docdir and exampledir are installed with "sudo" as the package
+ # name which may not be correct.
+ docdir="`echo \"${docdir}\" | sed \"s#/sudo#/${name}#g\"`"
+ exampledir="`echo \"${exampledir}\" | sed \"s#/sudo#/${name}#g\"`"
+
+ # Copy docdir and exampledir to new names if needed
+ if test ! -d "${pp_destdir}${docdir}"; then
+ cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir}
+ find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
+ fi
+ if test ! -d "${pp_destdir}${exampledir}"; then
+ cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir}
+ find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
+ fi
+
+%if [deb]
+ pp_deb_maintainer="$pp_rpm_packager"
+ pp_deb_release="$pp_rpm_release"
+ pp_deb_version="$pp_rpm_version"
+ pp_deb_section=admin
+ install -D -m 644 ${pp_destdir}$docdir/LICENSE ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright
+ install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
+ gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
+ printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ # Create lintian override file
+ mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides
+ cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF
+ # Sudo ships with debugging symbols
+ $name: unstripped-binary-or-object
+ EOF
+ chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name}
+%endif
+
+%if [rpm]
+ # Add distro info to release
+ osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'`
+ case "$pp_rpm_distro" in
+ centos*|rhel*|f[0-9]*)
+ pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
+ ;;
+ sles*)
+ pp_rpm_release="$pp_rpm_release.sles$osrelease"
+ ;;
+ esac
+%endif
+
+%if [macos]
+ pp_macos_pkg_type=flat
+ pp_macos_bundle_id=ws.sudo.pkg.sudo-python
+ pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE
+ pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt
+ perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt
+%endif
+
+ # Package parent directories when not installing under /usr
+ if test "${prefix}" != "/usr"; then
+ extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"`
+ extradirs="$extradirs `dirname $docdir`"
+ test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`"
+ for dir in $libexecdir $extradirs; do
+ while test "$dir" != "/"; do
+ parentdirs="${parentdirs}${parentdirs+ }$dir/"
+ dir=`dirname $dir`
+ done
+ done
+ parentdirs=`echo $parentdirs | tr " " "\n" | sort -u`
+ fi
+
+%depend [deb]
+ libc6, libpython@PYTHON_VERSION@, sudo
+
+%fixup [deb]
+ cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$
+ sed "s/@PYTHON_VERSION@/%{python_version}/g" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control
+ rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$
+ echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+
+%fixup [rpm]
+ cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF'
+ /^%files/ {
+ i\
+ %clean\
+ :\
+
+ }
+ EOF
+ mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak
+ sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec
+
+%files
+ /** ignore
+%if X"$parentdirs" != X""
+ $parentdirs - ignore-others
+%endif
+ $libexecdir/sudo/ 0755 ignore-others
+ $libexecdir/sudo/python* $shlib_mode ignore-others
+ $docdir/ 0755 ignore-others
+ $exampledir/ 0755 ignore-others
+ $exampledir/*.py 0644 ignore-others
+ $mandir/man*/*python* 0644 ignore-others
diff --git a/etc/sudo.pp b/etc/sudo.pp
new file mode 100644
index 0000000..b4ac0d1
--- /dev/null
+++ b/etc/sudo.pp
@@ -0,0 +1,596 @@
+%set
+ if test -n "$flavor"; then
+ name="sudo-$flavor"
+ else
+ name="sudo"
+ fi
+ summary="Provide limited super-user privileges to specific users"
+ description="Sudo is a program designed to allow a sysadmin to give \
+limited root privileges to users and log root activity. \
+The basic philosophy is to give as few privileges as possible but \
+still allow people to get their work done."
+ vendor="Todd C. Miller"
+ copyright="(c) 1993-1996,1998-2021 Todd C. Miller"
+ sudoedit_man=`echo ${pp_destdir}$mandir/*/sudoedit.*|sed "s:^${pp_destdir}::"`
+ sudoedit_man_target=`basename $sudoedit_man | sed 's/edit//'`
+
+%if [aix]
+ # AIX package summary is limited to 40 characters
+ summary="Configurable super-user privileges"
+
+ # Convert to 4 part version for AIX, including patch level
+ pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
+
+ # Don't allow sudo to prompt for a password
+ pp_aix_sudo="sudo -n"
+%endif
+
+%if [sd]
+ pp_sd_vendor_tag="TCM"
+%endif
+
+%if [solaris]
+ pp_solaris_name="TCM${name}"
+ pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
+%endif
+
+%if [macos]
+ # System Integrity Protection on macOS won't allow us to write
+ # directly to /etc or /var. We must install in /private instead.
+ case "$sudoersdir" in
+ /etc|/etc/*)
+ mkdir -p ${pp_destdir}/private
+ chmod 755 ${pp_destdir}/private
+ if test -d ${pp_destdir}/etc; then
+ mv ${pp_destdir}/etc ${pp_destdir}/private/etc
+ fi
+ sudoersdir="/private${sudoersdir}"
+ ;;
+ esac
+ case "$sysconfdir" in
+ /etc|/etc/*)
+ mkdir -p ${pp_destdir}/private
+ chmod 755 ${pp_destdir}/private
+ if test -d ${pp_destdir}/etc; then
+ mv ${pp_destdir}/etc ${pp_destdir}/private/etc
+ fi
+ sysconfdir="/private${sysconfdir}"
+ ;;
+ esac
+ case "$vardir" in
+ /var|/var/*)
+ mkdir -p ${pp_destdir}/private
+ chmod 755 ${pp_destdir}/private
+ if test -d ${pp_destdir}/var; then
+ mv ${pp_destdir}/var ${pp_destdir}/private/var
+ fi
+ vardir="/private${vardir}"
+ ;;
+ esac
+ case "$rundir" in
+ /var|/var/*)
+ mkdir -p ${pp_destdir}/private
+ chmod 755 ${pp_destdir}/private
+ if test -d ${pp_destdir}/var; then
+ mv ${pp_destdir}/var ${pp_destdir}/private/var
+ fi
+ rundir="/private${rundir}"
+ ;;
+ esac
+%endif
+
+%if [rpm,deb]
+ # Convert patch level into release and remove from version
+ pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`"
+ pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`"
+ pp_rpm_license="BSD"
+ pp_rpm_url="https://www.sudo.ws"
+ pp_rpm_group="Applications/System"
+ pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>"
+ if test -n "$linux_audit"; then
+ pp_rpm_requires="audit-libs >= $linux_audit"
+ fi
+ if test -z "$libssl_dep"; then
+ libssl_dep="libssl1.1"
+ fi
+ # The package manager will handle an existing sudoers file
+ rm -f ${pp_destdir}$sudoersdir/sudoers.dist
+%else
+ # For all but RPM and Debian we copy sudoers in a post-install script.
+ rm -f ${pp_destdir}$sudoersdir/sudoers
+ # We install sudo.conf from the example dir in a post-install script.
+ rm -f ${pp_destdir}$sysconfdir/sudo.conf
+%endif
+
+ # Stash original docdir and exampledir
+ odocdir="${docdir}"
+ oexampledir="${exampledir}"
+
+ # For RedHat the doc dir is expected to include version and release
+ case "$pp_rpm_distro" in
+ centos*|rhel*|f[0-9]*)
+ docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}"
+ exampledir="${docdir}/examples"
+ ;;
+ esac
+
+ if test -n "$flavor"; then
+ # docdir and exampledir are installed with "sudo" as the package
+ # name which is not be correct for flavors.
+ docdir="`echo \"${docdir}\" | sed \"s#/sudo#/${name}#g\"`"
+ exampledir="`echo \"${exampledir}\" | sed \"s#/sudo#/${name}#g\"`"
+ fi
+
+ # Copy docdir and exampledir to new names if needed
+ if test ! -d "${pp_destdir}${docdir}"; then
+ cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir}
+ find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
+ fi
+ if test ! -d "${pp_destdir}${exampledir}"; then
+ cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir}
+ find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup
+ fi
+
+%if [deb]
+ pp_deb_maintainer="$pp_rpm_packager"
+ pp_deb_release="$pp_rpm_release"
+ pp_deb_version="$pp_rpm_version"
+ pp_deb_section=admin
+ install -D -m 644 ${pp_destdir}$docdir/LICENSE ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright
+ install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
+ gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
+ printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
+ # Create lintian override file
+ mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides
+ cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF
+ # The sudo binary must be setuid root
+ $name: setuid-binary usr/bin/sudo 4755 root/root
+ # Sudo configuration and data dirs must not be world-readable
+ $name: non-standard-file-perm etc/sudoers 0440 != 0644
+ $name: non-standard-dir-perm etc/sudoers.d/ 0750 != 0755
+ $name: non-standard-dir-perm var/lib/sudo/ 0700 != 0755
+ # Sudo ships with debugging symbols
+ $name: unstripped-binary-or-object
+ EOF
+ chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name}
+%endif
+
+%if [rpm]
+ # Add distro info to release
+ osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'`
+ case "$pp_rpm_distro" in
+ centos*|rhel*|f[0-9]*)
+ pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
+ ;;
+ sles*)
+ pp_rpm_release="$pp_rpm_release.sles$osrelease"
+ ;;
+ esac
+
+ # Uncomment some Defaults in sudoers
+ # Note that the order must match that of sudoers.
+ case "$pp_rpm_distro" in
+ centos*|rhel*|f[0-9]*)
+ chmod u+w ${pp_destdir}${sudoersdir}/sudoers
+ /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
+ /Locale settings/+1,s/^# //
+ /Desktop path settings/+1,s/^# //
+ /allow members of group wheel to execute any command/+1,s/^# //
+ w
+ q
+ EOF
+ chmod u-w ${pp_destdir}${sudoersdir}/sudoers
+ ;;
+ sles*)
+ chmod u+w ${pp_destdir}${sudoersdir}/sudoers
+ /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
+ /Locale settings/+1,s/^# //
+ /ConsoleKit session/+1,s/^# //
+ /allow any user to run sudo if they know the password/+2,s/^# //
+ /allow any user to run sudo if they know the password/+3,s/^# //
+ w
+ q
+ EOF
+ chmod u-w ${pp_destdir}${sudoersdir}/sudoers
+ ;;
+ esac
+
+ # Choose the correct PAM file by distro, must be tab indented for "<<-"
+ case "$pp_rpm_distro" in
+ centos*|rhel*)
+ mkdir -p ${pp_destdir}/etc/pam.d
+ if test $osrelease -lt 50; then
+ cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+ #%PAM-1.0
+ auth required pam_stack.so service=system-auth
+ account required pam_stack.so service=system-auth
+ password required pam_stack.so service=system-auth
+ session required pam_limits.so
+ EOF
+ else
+ cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+ #%PAM-1.0
+ auth include system-auth
+ account include system-auth
+ password include system-auth
+ session optional pam_keyinit.so revoke
+ session required pam_limits.so
+ EOF
+ cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
+ #%PAM-1.0
+ auth include sudo
+ account include sudo
+ password include sudo
+ session optional pam_keyinit.so force revoke
+ session required pam_limits.so
+ EOF
+ fi
+ ;;
+ f[0-9]*)
+ # XXX - share with rhel
+ mkdir -p ${pp_destdir}/etc/pam.d
+ cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+ #%PAM-1.0
+ auth include system-auth
+ account include system-auth
+ password include system-auth
+ session optional pam_keyinit.so revoke
+ session required pam_limits.so
+ EOF
+ cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
+ #%PAM-1.0
+ auth include sudo
+ account include sudo
+ password include sudo
+ session optional pam_keyinit.so force revoke
+ session required pam_limits.so
+ EOF
+ ;;
+ sles*)
+ mkdir -p ${pp_destdir}/etc/pam.d
+ if test $osrelease -lt 10; then
+ cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+ #%PAM-1.0
+ auth required pam_unix2.so
+ session required pam_limits.so
+ EOF
+ else
+ cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+ #%PAM-1.0
+ auth include common-auth
+ account include common-account
+ password include common-password
+ session include common-session
+ # session optional pam_xauth.so
+ EOF
+ fi
+ ;;
+ esac
+%endif
+
+%if [deb]
+ # Uncomment some Defaults and the %sudo rule in sudoers
+ # Note that the order must match that of sudoers and be tab-indented.
+ chmod u+w ${pp_destdir}${sudoersdir}/sudoers
+ /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
+ /Locale settings/+1,s/^# //
+ /X11 resource/+1,s/^# //
+ /^# \%sudo/,s/^# //
+ /^# Defaults secure_path/,s/^# //
+ /^# Defaults mail_badpass/,s/^# //
+ w
+ q
+ EOF
+ chmod u-w ${pp_destdir}${sudoersdir}/sudoers
+ mkdir -p ${pp_destdir}/etc/pam.d
+ cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
+ #%PAM-1.0
+
+ @include common-auth
+ @include common-account
+
+ session required pam_permit.so
+ session required pam_limits.so
+ EOF
+%endif
+
+%if [macos]
+ pp_macos_pkg_type=flat
+ pp_macos_bundle_id=ws.sudo.pkg.sudo
+ pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE
+ pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt
+ perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt
+%endif
+
+%if X"$aix_freeware" = X"true"
+ # Create links from /opt/freeware/{bin,sbin} -> /usr/{bin,sbin}
+ mkdir -p ${pp_destdir}/usr/bin ${pp_destdir}/usr/sbin
+ ln -s -f ${bindir}/cvtsudoers ${pp_destdir}/usr/bin
+ ln -s -f ${bindir}/sudo ${pp_destdir}/usr/bin
+ ln -s -f ${bindir}/sudoedit ${pp_destdir}/usr/bin
+ ln -s -f ${bindir}/sudoreplay ${pp_destdir}/usr/bin
+ ln -s -f ${sbindir}/sudo_sendlog ${pp_destdir}/usr/sbin
+ ln -s -f ${sbindir}/visudo ${pp_destdir}/usr/sbin
+%endif
+
+ # Package parent directories when not installing under /usr
+ if test "${prefix}" != "/usr"; then
+ extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"`
+ extradirs="$extradirs `dirname $docdir` `dirname $rundir` `dirname $vardir`"
+ test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`"
+ test -d ${pp_destdir}${localedir} && extradirs="$extradirs $localedir"
+ for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do
+ while test "$dir" != "/"; do
+ parentdirs="${parentdirs}${parentdirs+ }$dir/"
+ dir=`dirname $dir`
+ done
+ done
+ parentdirs=`echo $parentdirs | tr " " "\n" | sort -u`
+ fi
+
+%depend [deb]
+ libc6, libpam0g, libpam-modules, zlib1g, libselinux1
+
+%fixup [deb]
+ # Add Conflicts, Replaces headers and add libldap dependency as needed.
+ DEPENDS="%{linux_audit}"
+ if test -z "%{flavor}"; then
+ echo "Conflicts: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Replaces: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ elif test "%{flavor}" = "ldap"; then
+ echo "Conflicts: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Replaces: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Provides: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ DEPENDS="${DEPENDS}${DEPENDS:+, }libldap-2.4-2"
+ fi
+ if test -n "%{libssl_dep}"; then
+ DEPENDS="${DEPENDS}${DEPENDS:+, }%{libssl_dep}"
+ fi
+ cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$
+ if test -n "${DEPENDS}"; then
+ sed "s/^\(Depends:.*\) *$/\1, ${DEPENDS}/" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control
+ fi
+ rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$
+ echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+ echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control
+
+%fixup [rpm]
+ cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF'
+ /^%files/ {
+ i\
+ %clean\
+ :\
+
+ }
+ EOF
+ mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak
+ sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec
+
+%files
+%if X"$parentdirs" != X""
+ $parentdirs -
+%endif
+%if X"$odocdir" != X"$docdir"
+ $odocdir/ ignore
+ $odocdir/** ignore
+%endif
+%if X"$oexampledir" != X"$exampledir" -a X"$exampledir" != X"$docdir/examples"
+ $oexampledir/ ignore
+ $oexampledir/** ignore
+%endif
+ $bindir/cvtsudoers 0755 root:
+ $bindir/sudo 4755 root:
+ $bindir/sudoedit 0755 root: symlink sudo
+ $bindir/sudoreplay 0755
+ $sbindir/sudo_sendlog 0755
+ $sbindir/sudo_logsrvd optional,ignore
+ $sbindir/visudo 0755
+ $includedir/sudo_plugin.h 0644
+ $libexecdir/sudo/ 0755
+ $libexecdir/sudo/sesh 0755 optional,ignore-others
+ $libexecdir/sudo/python* optional,ignore,ignore-others
+ $libexecdir/sudo/* $shlib_mode optional
+ $sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid
+ $rundir/ 0711 root:
+ $vardir/ 0711 root: ignore-others
+ $vardir/lectured/ 0700 root:
+ $docdir/ 0755
+ $docdir/** 0644
+%if [deb]
+ $docdir/LICENSE ignore,ignore-others
+ $docdir/ChangeLog ignore,ignore-others
+%endif
+%if X"$exampledir" != X"$docdir/examples"
+ $exampledir/ 0755 ignore-others
+ $exampledir/* 0644
+%endif
+ $exampledir/sudo_logsrv* optional,ignore,ignore-others
+ $exampledir/*.py optional,ignore,ignore-others
+ $localedir/*/ - optional
+ $localedir/*/LC_MESSAGES/ - optional
+ $localedir/*/LC_MESSAGES/* 0644 optional
+ /etc/pam.d/* 0644 volatile,optional
+%if [rpm,deb]
+ $sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
+ $sysconfdir/sudo.conf 0644 root: volatile
+%else
+ $sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid
+%endif
+%if X"$aix_freeware" = X"true"
+ # Links for binaries from /opt/freeware to /usr
+ /usr/bin/cvtsudoers 0755 root: symlink $bindir/cvtsudoers
+ /usr/bin/sudo 0755 root: symlink $bindir/sudo
+ /usr/bin/sudoedit 0755 root: symlink $bindir/sudoedit
+ /usr/bin/sudoreplay 0755 root: symlink $bindir/sudoreplay
+ /usr/sbin/sudo_sendlog 0755 root: symlink $sbindir/sendlog
+ /usr/sbin/visudo 0755 root: symlink $sbindir/visudo
+%endif
+%if [rpm]
+ /etc/rc.d/init.d/sudo 0755 root: optional
+%endif
+%if [aix]
+ /etc/rc.d/ ignore
+ /etc/rc.d/rc2.d/ ignore
+ /etc/rc.d/rc2.d/** ignore
+ /etc/rc.d/init.d/ ignore
+ /etc/rc.d/init.d/sudo 0755 root:
+%endif
+%if [sd]
+ /sbin/ ignore
+ /sbin/rc2.d/ ignore
+ /sbin/rc2.d/** ignore
+ /sbin/init.d/ ignore
+ /sbin/init.d/sudo 0755 root:
+%endif
+ $mandir/man*/* 0644
+ $mandir/man*/sudo_logsrv* ignore,ignore-others
+ $mandir/man*/*python* ignore,ignore-others
+ $sudoedit_man 0644 symlink,ignore-others $sudoedit_man_target
+
+%pre [aix]
+ if rpm -q %{name} >/dev/null 2>&1; then
+ echo "Another version of sudo is currently installed via rpm." 2>&1
+ echo "Please either uninstall the rpm version of sudo by running \"rpm -e sudo\"" 2>&1
+ echo "or upgrade the existing version of sudo using the .rpm packagae instead" 2>&1
+ echo "instead of the .bff package." 2>&1
+ echo "" 2>&1
+ echo "Note that you may need to pass rpm the --oldpackage flag when upgrading" 2>&1
+ echo "the AIX Toolbox version of sudo to the latest sudo rpm from sudo.ws." 2>&1
+ echo "" 2>&1
+ exit 1
+ fi
+
+%post [!rpm,deb]
+ # Don't overwrite existing sudoers or sudo.conf files
+%if [solaris]
+ sudoersdir=${PKG_INSTALL_ROOT}%{sudoersdir}
+ sysconfdir=${PKG_INSTALL_ROOT}%{sysconfdir}
+ exampledir=${PKG_INSTALL_ROOT}%{exampledir}
+%else
+ sudoersdir=%{sudoersdir}
+ sysconfdir=%{sysconfdir}
+ exampledir=%{exampledir}
+%endif
+ if test ! -r $sudoersdir/sudoers; then
+ cp $sudoersdir/sudoers.dist $sudoersdir/sudoers
+ chmod %{sudoers_mode} $sudoersdir/sudoers
+ chown %{sudoers_uid} $sudoersdir/sudoers
+ chgrp %{sudoers_gid} $sudoersdir/sudoers
+ fi
+ if test ! -r $sysconfdir/sudo.conf; then
+ cp $exampledir/sudo.conf $sysconfdir/sudo.conf
+ chmod 644 $sysconfdir/sudo.conf
+ chown root $sysconfdir/sudo.conf
+ fi
+
+%post [deb]
+ set -e
+
+ # dpkg-deb does not maintain the mode on the sudoers file, and
+ # installs it 0640 when sudo requires 0440
+ chmod %{sudoers_mode} %{sudoersdir}/sudoers
+
+ # create symlink to ease transition to new path for ldap config
+ # if old config file exists and new one doesn't
+ if test X"%{flavor}" = X"ldap" -a \
+ -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
+ ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
+ fi
+
+ # Debian uses a sudo group in its default sudoers file
+ perl -e '
+ exit 0 if getgrnam("sudo");
+ $gid = 27; # default debian sudo gid
+ setgrent();
+ while (getgrgid($gid)) { $gid++; }
+ if ($gid != 27) {
+ print "On Debian we normally use gid 27 for \"sudo\".\n";
+ $gname = getgrgid(27);
+ print "However, on your system gid 27 is group \"$gname\".\n\n";
+ print "Would you like me to stop configuring sudo so that you can change this? [n] ";
+ $ans = <STDIN>;
+ if ($ans =~ /^[yY]/) {
+ print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
+ exit 1;
+ }
+ }
+ print "Creating group \"sudo\" with gid = $gid\n";
+ system("groupadd -g $gid sudo");
+ exit 0;
+ '
+
+%post [rpm]
+ case "%{pp_rpm_distro}" in
+ aix*)
+ # Create /etc/rc.d/rc2.d/S90sudo link if possible
+ if [ -d /etc/rc.d/rc2.d ]; then
+ rm -f /etc/rc.d/rc2.d/S90sudo
+ ln -s /etc/rc.d/init.d/sudo /etc/rc.d/rc2.d/S90sudo
+ fi
+ ;;
+ esac
+
+%post [rpm,deb]
+ # Create /usr/lib/tmpfiles.d/sudo.conf if systemd is configured.
+ if [ -f /usr/lib/tmpfiles.d/systemd.conf ]; then
+ cat > /usr/lib/tmpfiles.d/sudo.conf <<-EOF
+ # Create an empty sudo time stamp directory on OSes using systemd.
+ # Sudo will create the directory itself but this can cause problems
+ # on systems that have SELinux enabled since the directories will be
+ # created with the user's security context.
+ d %{rundir} 0711 root root
+ D %{rundir}/ts 0700 root root
+ EOF
+ fi
+
+%post [aix]
+ # Create /etc/rc.d/rc2.d/S90sudo link if /etc/rc.d exists
+ if [ -d /etc/rc.d ]; then
+ rm -f /etc/rc.d/rc2.d/S90sudo
+ ln -s /etc/rc.d/init.d/sudo /etc/rc.d/rc2.d/S90sudo
+ fi
+
+%post [sd]
+ # Create /sbin/rc2.d/S900sudo link
+ rm -f /sbin/rc2.d/S900sudo
+ ln -s /sbin/init.d/sudo /sbin/rc2.d/S900sudo
+
+%preun
+ # Remove the time stamp dir and its contents
+ # We currently leave the lecture status files installed
+ rm -rf %{rundir}/ts
+%if [deb]
+ set -e
+
+ # Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
+ # it matches what we created in the postinstall script.
+ if test X"%{flavor}" = X"ldap" -a \
+ X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
+ rm -f /etc/sudo-ldap.conf
+ fi
+
+ # Remove systemd tmpfile config
+ rm -f /usr/lib/tmpfiles.d/sudo.conf
+%endif
+%if [rpm]
+ case "%{pp_rpm_distro}" in
+ aix*)
+ # Remove /etc/rc.d/rc2.d/S90sudo link
+ rm -f /etc/rc.d/rc2.d/S90sudo
+ ;;
+ *)
+ # Remove systemd tmpfile config
+ rm -f /usr/lib/tmpfiles.d/sudo.conf
+ ;;
+ esac
+%endif
+%if [aix]
+ # Remove /etc/rc.d/rc2.d/S90sudo link
+ rm -f /etc/rc.d/rc2.d/S90sudo
+%endif
+%if [sd]
+ # Remove /sbin/rc2.d/S900sudo link
+ rm -f /sbin/rc2.d/S900sudo
+%endif