diff options
Diffstat (limited to '')
-rwxr-xr-x | scripts/mkpkg | 591 |
1 files changed, 591 insertions, 0 deletions
diff --git a/scripts/mkpkg b/scripts/mkpkg new file mode 100755 index 0000000..5871dc8 --- /dev/null +++ b/scripts/mkpkg @@ -0,0 +1,591 @@ +#!/bin/sh +# +# SPDX-License-Identifier: ISC +# +# Copyright (c) 2010-2023 Todd C. Miller <Todd.Miller@sudo.ws> +# +# Permission to use, copy, modify, and distribute this software for any +# purpose with or without fee is hereby granted, provided that the above +# copyright notice and this permission notice appear in all copies. +# +# THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +# WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +# MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +# ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +# WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +# ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +# OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +# +# Build a binary package using polypkg +# Usage: mkpkg [--build-only] [--configure-only] [--debug] [--flavor flavor] +# [--platform platform] [--osversion ver] +# + +# Make sure IFS is set to space, tab, newline in that order. +space=' ' +tab=' ' +nl=' +' +IFS=" $nl" + +# Parse arguments +usage="usage: mkpkg [--build-only] [--configure-only] [--debug] [--flavor flavor] [--platform platform] [--osversion ver]" +debug=0 +flavor=vanilla +crossbuild=false +build_packages=true; +build_sudo=true; +while test $# -gt 0; do + case "$1" in + --debug) + set -x + debug=1 + PPFLAGS="--debug${PPFLAGS+$space}${PPFLAGS}" + ;; + --flavor=?*) + flavor=`echo "$1" | sed -n 's/^--flavor=\(.*\)/\1/p'` + PPVARS="${PPVARS}${PPVARS+$space}flavor=$flavor" + ;; + --flavor) + if [ $# -lt 2 ]; then + echo "$usage" 1>&2 + exit 1 + fi + flavor="$2" + PPVARS="${PPVARS}${PPVARS+$space}flavor=$flavor" + shift + ;; + --platform=?*) + arg=`echo "$1" | sed -n 's/^--platform=\(.*\)/\1/p'` + PPFLAGS="${PPFLAGS}${PPFLAGS+$space}--platform $arg" + ;; + --platform) + if [ $# -lt 2 ]; then + echo "$usage" 1>&2 + exit 1 + fi + PPFLAGS="${PPFLAGS}${PPFLAGS+$space}--platform $2" + shift + ;; + --osversion=?*) + arg=`echo "$1" | sed -n 's/^--osversion=\(.*\)/\1/p'` + osversion="$arg" + ;; + --osversion) + if [ $# -lt 2 ]; then + echo "$usage" 1>&2 + exit 1 + fi + osversion="$2" + shift + ;; + --build|--host) + crossbuild=true + configure_opts="${configure_opts}${configure_opts+$tab}$1" + ;; + --build-only) + build_packages=false + ;; + --configure-only) + build_sudo=false + ;; + *) + # Pass unknown options to configure + configure_opts="${configure_opts}${configure_opts+$tab}$1" + ;; + esac + shift +done + +scriptdir=`dirname $0` +configure="${scriptdir}/../configure" + +: ${osversion="`$scriptdir/pp --probe 2>/dev/null || echo unknown`"} +osrelease=`echo "$osversion" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'` +: ${MAKE=make} + +if [ $build_packages = true -a "$osversion" = "unknown" ]; then + echo "unable to determine platform" 1>&2 + exit 1 +fi + +# If using GNU make, set number of jobs +if ${MAKE} --version 2>&1 | grep GNU >/dev/null; then + NJOBS=0 + case "`uname`" in + Darwin) + # macOS + NJOBS=`sysctl -n hw.ncpu` + ;; + Linux) + if [ -x /usr/bin/nproc ]; then + NJOBS=`/usr/bin/nproc` + elif [ -r /proc/cpuinfo ]; then + NJOBS=`grep ^processor /proc/cpuinfo | wc -l` + fi + ;; + SunOS) + # Solaris + if [ -x /usr/sbin/psrinfo ]; then + NJOBS=`/usr/sbin/psrinfo | wc -l` + fi + ;; + HP-UX) + NJOBS=`sar -Mu 1 1 | awk 'END {print NR-5}'` + ;; + AIX) + NJOBS=`bindprocessor -q | awk '{print NF-4}'` + ;; + esac + if [ $NJOBS -gt 1 ]; then + if [ $NJOBS -gt 16 ]; then + NJOBS=16 + fi + make_opts="-j$NJOBS" + fi +fi + +# Choose compiler options by osversion if not cross-compiling. +if [ "$crossbuild" = "false" ]; then + case "$osversion" in + FreeBSD*|macos*) + # Use clang, not gcc, on FreeBSD and macOS + if [ -z "$CC" ]; then + CC=clang; export CC + fi + ;; + esac +fi + +# Give configure a hint that we are building a package. +# Some libc functions are only available on certain OS revisions. +configure_opts="${configure_opts}${configure_opts+$tab}--enable-package-build" + +# Some systems don't have a recent enough OpenSSL for the I/O log server. +with_openssl=false + +# Not all systems have Python 3. +with_python=false + +# Choose configure options by osversion. +# We use the same configure options as vendor packages when possible. +case "$osversion" in + centos*|rhel*|f[0-9]*) + case "$osversion" in + centos*|rhel*) + osmajor=`sed -n -e 's/^.*release \([0-9][0-9]*\).*$/\1/p' /etc/redhat-release` + if [ $osmajor -ge 4 ]; then + # RHEL 4 and up support SELinux + with_selinux=true + if [ $osmajor -ge 5 ]; then + # RHEL 5 and up has audit support and uses a + # separate PAM config file for "sudo -i". + with_linux_audit=true + with_pam_login=true + if [ $osmajor -ge 6 ]; then + # RHEL 6 and above builds sudo with SSSD support + with_sssd=true + # RHEL 6 and above use /etc/sudo-ldap.conf + with_sudo_ldap_conf=true + # Encrypted remote I/O log support. + with_openssl=true + fi + if [ $osmajor -ge 6 ]; then + # Python plugins + with_python=true + fi + fi + fi + ;; + f[0-9]*) + # XXX - investigate which features were in which fedora version + with_selinux=true + with_linux_audit=true + with_pam_login=true + with_sssd=true + with_openssl=true + with_python=true + ;; + esac + + if [ X"$with_selinux" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-selinux" + fi + if [ X"$with_linux_audit" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-linux-audit" + PPVARS="${PPVARS}${PPVARS+$space}linux_audit=1.4.0" + fi + if [ X"$with_pam_login" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-pam-login" + fi + if [ X"$with_sssd" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-sssd" + if [ "`getconf LONG_BIT`" = "64" ]; then + # SSSD backend needs to know where to find the sssd lib + configure_opts="${configure_opts}${configure_opts+$tab}--with-sssd-lib=/usr/lib64" + fi + fi + if [ X"$with_sudo_ldap_conf" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-ldap-conf-file=/etc/sudo-ldap.conf" + fi + # Note, must indent with tabs, not spaces due to IFS trickery + configure_opts="--prefix=/usr + --with-logging=syslog + --with-logfac=authpriv + --with-pam + --enable-zlib=system + --with-editor=/bin/vi + --with-env-editor + --with-ignore-dot + --with-ldap + --with-passprompt=[sudo] password for %p: + --with-sendmail=/usr/sbin/sendmail + $configure_opts" + ;; + sles*) + if [ $osrelease -ge 10 ]; then + if [ $osrelease -ge 11 ]; then + # SLES 11 and higher have SELinux + configure_opts="${configure_opts}${configure_opts+$tab}--with-selinux" + fi + if [ $osrelease -ge 12 ]; then + # Encrypted remote I/O log support. + with_openssl=true + # Python plugins + with_python=true + fi + fi + # SuSE doesn't have /usr/libexec + libexec=lib + case "$osversion" in + *64*) gcc -v 2>&1 | grep "with-cpu=[^ ]*32" >/dev/null || libexec=lib64 + ;; + esac + # Note, must indent with tabs, not spaces due to IFS trickery + # XXX - SuSE uses secure path but only for env_reset + configure_opts="--prefix=/usr + --libexecdir=/usr/$libexec + --with-logging=syslog + --with-logfac=auth + --with-all-insults + --with-ignore-dot + --enable-shell-sets-home + --with-sudoers-mode=0440 + --with-pam + --enable-zlib=system + --with-ldap + --with-env-editor + --with-passprompt=%p\'s password: + --with-sendmail=/usr/sbin/sendmail + $configure_opts" + + make_opts="${make_opts}${make_opts+ }"'docdir=$(datarootdir)/doc/packages/$(PACKAGE_TARNAME)' + ;; + deb*|ubu*) + # Sudo-specific executables moved to /usr/libexec/sudo starting in + # Debian: Debian 12 (Bookworm) + # Ubuntu: Ubuntu 22.04 (Jammy Jellyfish) + # Previously, they were stored in /usr/lib/sudo. + libexec=lib + + # AppArmor is enabled by default starting in + # Debian: Debian 10 (Buster) + # Ubuntu: Ubuntu 12.04 (Precise Pangolin) + osmajor=`sed -n -e 's/^VERSION_ID=\"\([0-9]*\).*$/\1/p' /etc/os-release` + case "$osversion" in + deb*) + if [ -z $osmajor ] || [ $osmajor -ge 10 ]; then + with_apparmor=true + fi + if [ -z $osmajor ] || [ $osmajor -ge 12 ]; then + libexec=libexec + fi + ;; + ubu*) + if [ -z $osmajor ] || [ $osmajor -ge 14 ]; then + with_apparmor=true + fi + if [ -z $osmajor ] || [ $osmajor -ge 22 ]; then + libexec=libexec + fi + ;; + esac + + # Encrypted remote I/O log support. + with_openssl=true + # Python plugins + with_python=true + # Man pages should be compressed in .deb files + export MANCOMPRESS='gzip -9' + export MANCOMPRESSEXT='.gz' + # If Ubuntu, add --enable-admin-flag + case "$osversion" in + ubu*) + configure_opts="${configure_opts}${configure_opts+$tab}--enable-admin-flag${tab}--without-lecture" + ;; + esac + # Newer Debian uses arch-specific lib dirs + MULTIARCH=`dpkg-architecture -qDEB_HOST_MULTIARCH 2>/dev/null` + # Note, must indent with tabs, not spaces due to IFS trickery + if [ "$flavor" = "ldap" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-ldap + --with-ldap-conf-file=/etc/sudo-ldap.conf" + else + configure_opts="${configure_opts}${configure_opts+$tab}--with-sssd" + if [ -n "$MULTIARCH" ]; then + # SSSD backend needs to know where to find the sssd lib + configure_opts="${configure_opts}${configure_opts+$tab}--with-sssd-lib=/usr/lib/$MULTIARCH" + fi + fi + if [ X"$with_apparmor" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-apparmor" + fi + configure_opts="--prefix=/usr + --with-all-insults + --with-pam + --enable-zlib=system + --with-fqdn + --with-logging=syslog + --with-logfac=authpriv + --with-env-editor + --with-editor=/usr/bin/editor + --with-timeout=15 + --with-password-timeout=0 + --with-passprompt=[sudo] password for %p: + --disable-root-mailer + --with-sendmail=/usr/sbin/sendmail + --mandir=/usr/share/man + --libexecdir=/usr/$libexec + --with-linux-audit + $configure_opts" + # Use correct libaudit dependency + for f in /lib/${MULTIARCH}${MULTIARCH:+/}libaudit.so.[0-9]* /lib/libaudit.so.[0-9]*; do + if [ -f "$f" ]; then + linux_audit=`dpkg-query -S "$f" 2>/dev/null | sed -n 's/:.*//p'` + test -n "$linux_audit" && break + fi + done + if [ -z "$linux_audit" ]; then + echo "unable to determine package for libaudit" 1>&2 + exit 1 + fi + PPVARS="${PPVARS}${PPVARS+$space}linux_audit=$linux_audit" + # Use correct libssl dependency + libssl_dep=`dpkg-query -S /usr/lib/${MULTIARCH}${MULTIARCH:+/}libssl.so.[1-9]* /lib/${MULTIARCH}${MULTIARCH:+/}libssl.so.[1-9]* 2>/dev/null | sort -rn | awk -F: '{ print $1; exit }'` + if [ -z "$libssl_dep" ]; then + echo "unable to determine package for libssl" 1>&2 + exit 1 + fi + PPVARS="${PPVARS}${PPVARS+$space}libssl_dep=$libssl_dep" + ;; + macos*) + # TODO: openssl (homebrew?) + case "$osversion" in + macos10[0-6]-i386|macos10[0-6]-x86_64) + # Build intel universal binaries for 10.6 and below + : ${ARCH_FLAGS="-arch i386 -arch x86_64"} + ;; + macos1[1-9]*) + # Build arm64/x86_64 universal binaries for macOS 11 + : ${ARCH_FLAGS="-arch arm64 -arch x86_64"} + ;; + esac + if [ "${osversion}" != "`$scriptdir/pp --probe`" ]; then + sdkvers=`echo "${osversion}" | sed -e 's/^macos\([0-9][0-9]\)\([0-9]*\)-.*$/\1.\2/' -e 's/\.$//'` + # SDKs may be under Xcode.app or CommandLineTools (for non-Xcode) + if [ -d "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs" ]; then + SDKS="/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs" + elif [ -d "/Library/Developer/CommandLineTools/SDKs" ]; then + SDKS="/Library/Developer/CommandLineTools/SDKs" + else + echo "unable to find macOS SDKs directory" 1>&2 + exit 1 + fi + while :; do + SDK_DIR="${SDKS}/MacOSX${sdkvers}.sdk" + if [ -d "${SDK_DIR}" ]; then + SDK_FLAGS="-isysroot ${SDK_DIR} -mmacosx-version-min=${sdkvers}" + break + fi + case "$sdkvers" in + *.00) + # Try MacOSXMM.0.sdk + sdkvers=${sdkvers%0} + ;; + *.0) + # Try MacOSXMM.sdk + sdkvers=${sdkvers%.0} + ;; + *) + echo "missing $SDK_DIR" 1>&2 + exit 1 + ;; + esac + done + fi + export CFLAGS="-O2 -g $ARCH_FLAGS $SDK_FLAGS" + export LDFLAGS="$ARCH_FLAGS $SDK_FLAGS" + # Note, must indent with tabs, not spaces due to IFS trickery + configure_opts="--with-pam + --with-bsm-audit + --with-password-timeout=0 + --enable-zlib=system + --with-ldap + --with-insults=disabled + --with-logging=syslog + --with-logfac=authpriv + --with-editor=/usr/bin/vim + --with-env-editor + $configure_opts" + ;; + aix*) + # TODO: openssl (AIX freeware?) + # Use -gxcoff with gcc instead of -g for dbx-style debugging symbols. + if test -z "$CC" && gcc -v >/dev/null 2>&1; then + CFLAGS="-O2 -gxcoff"; export CFLAGS + fi + # Note, must indent with tabs, not spaces due to IFS trickery + # Note: we include our own zlib instead of relying on the + # AIX freeware version being installed. + configure_opts=" + --prefix=/opt/freeware + --mandir=/opt/freeware/man + --with-insults=disabled + --with-logging=syslog + --with-logfac=auth + --with-editor=/usr/bin/vi + --with-env-editor + --enable-zlib=builtin + --disable-nls + --with-sendmail=/usr/sbin/sendmail + $configure_opts" + PPVARS="${PPVARS}${PPVARS+$space}aix_freeware=true" + ;; + FreeBSD*|DragonFly*) + # Encrypted remote I/O log support. + with_openssl=true + + # Python plugins + with_python=true + + configure_opts=" + --sysconfdir=/usr/local/etc + --with-ignore-dot + --with-tty-tickets + --with-env-editor + --with-logincap + --with-long-otp-prompt + --with-rundir=/var/run/sudo + --enable-zlib=system + --disable-nls + $configure_opts" + ;; + *) + # For Solaris, add project support and use let configure choose zlib. + # For all others, use the builtin zlib and disable NLS support. + case "$osversion" in + sol*) + configure_opts="${configure_opts}${configure_opts+$tab}--with-project" + + if [ $osrelease -ge 11 ]; then + # Build 64-bit binaries on Solaris 11 and above. + case "${CC}${CFLAGS}" in + *-m32*|*-m64*) + # User specified memory model flags + ;; + *) + CFLAGS="${CFLAGS:--O2 -g} -m64"; export CFLAGS + LDFLAGS="-m64${LDFLAGS:+ }${LDFLAGS}"; export LDFLAGS + ;; + esac + # Solaris audit is not supported by Illumos + if [ X"`uname -o 2>/dev/null`" = X"illumos" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-bsm-audit" + else + configure_opts="${configure_opts}${configure_opts+$tab}--with-solaris-audit" + fi + # Encrypted remote I/O log support. + with_openssl=true + # Python plugins + with_python=true + + # We prefer the system version of python3 to the + # csw one (which may be 32-bit) + if [ -z "$PYTHON" ]; then + if [ -x /usr/bin/python3 ]; then + PYTHON="/usr/bin/python3"; export PYTHON + else + # Sometimes the /usr/bin/python3 is missing + for f in /usr/bin/python3.11 /usr/bin/python3.10 /usr/bin/python3.9 /usr/bin/python3.8 /usr/bin/python3.7 /usr/bin/python3.6 /usr/bin/python3.5 /usr/bin/python3.4; do + if [ -x $f ]; then + PYTHON="$f"; export PYTHON + break + fi + done + fi + fi + fi + ;; + hpux*-ia64) + # Build 64-bit binaries on HP-UX ia64 + if test -z "$CC" && gcc -v >/dev/null 2>&1; then + CC="gcc -mlp64"; export CC + fi + # TODO: openssl + configure_opts="${configure_opts}${configure_opts+$tab}--enable-zlib=builtin${tab}--disable-nls" + ;; + *) + # TODO: openssl + configure_opts="${configure_opts}${configure_opts+$tab}--enable-zlib=builtin${tab}--disable-nls" + ;; + esac + if [ "$flavor" = "ldap" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--with-ldap" + fi + # Note, must indent with tabs, not spaces due to IFS trickery + configure_opts=" + --with-insults=disabled + --with-logging=syslog + --with-logfac=auth + --with-editor=/usr/bin/vim:/usr/bin/vi:/bin/vi + --with-env-editor + $configure_opts" + ;; +esac + +# Don't enable OpenSSL or python if disabled by the user. +case "$configure_opts" in + *--disable-openssl*) with_openssl=false;; +esac +case "$configure_opts" in + *--disable-python*) with_python=false;; +esac +if [ X"$with_openssl" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--enable-openssl" +fi +if [ X"$with_python" = X"true" ]; then + configure_opts="${configure_opts}${configure_opts+$tab}--enable-python" +fi + +# The postinstall script will create tmpfiles.d/sudo.conf for us +configure_opts="${configure_opts}${configure_opts+$tab}--disable-tmpfiles.d" + +# Remove spaces from IFS when setting $@ so that passprompt may include them +OIFS="$IFS" +IFS=" $nl" +set -- $configure_opts $extra_opts +IFS="$OIFS" +if [ -r Makefile ]; then + ${MAKE} $make_opts distclean +fi +${configure} "$@" || exit $? +if [ $build_sudo = true ]; then + ${MAKE} $make_opts || exit $? + if [ $build_packages = true ]; then + ${MAKE} $make_opts PPFLAGS="$PPFLAGS" PPVARS="$PPVARS" package + fi +fi +exitval=$? +test $debug -eq 0 && rm -rf destdir + +exit $exitval |