diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:37:38 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-04-07 14:37:38 +0000 |
commit | ae581a19fbe896a797450b9d9573fb66f2735227 (patch) | |
tree | 56c40be8518a29c9351364d13a9676aa83932dc0 /etc | |
parent | Initial commit. (diff) | |
download | sudo-ae581a19fbe896a797450b9d9573fb66f2735227.tar.xz sudo-ae581a19fbe896a797450b9d9573fb66f2735227.zip |
Adding upstream version 1.9.13p3.upstream/1.9.13p3upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r-- | etc/codespell.exclude | 34 | ||||
-rw-r--r-- | etc/codespell.ignore | 16 | ||||
-rw-r--r-- | etc/codespell.skip | 25 | ||||
-rw-r--r-- | etc/init.d/aix.sh.in | 25 | ||||
-rw-r--r-- | etc/init.d/hpux.sh.in | 27 | ||||
-rw-r--r-- | etc/init.d/sudo.conf.in | 6 | ||||
-rw-r--r-- | etc/macos-background.png | bin | 0 -> 17896 bytes | |||
-rw-r--r-- | etc/sudo-logsrvd.pp | 272 | ||||
-rw-r--r-- | etc/sudo-python.pp | 161 | ||||
-rw-r--r-- | etc/sudo.pp | 571 |
10 files changed, 1137 insertions, 0 deletions
diff --git a/etc/codespell.exclude b/etc/codespell.exclude new file mode 100644 index 0000000..2c1f54f --- /dev/null +++ b/etc/codespell.exclude @@ -0,0 +1,34 @@ + "You empty-headed animal food trough wiper!", + * Returns true if any tags set in nt differ between ot and nt, else false. +#define TAGS_CHANGED(ot, nt) \ + ((TAG_SET((nt).follow) && (nt).follow != (ot).follow) || \ + (TAG_SET((nt).intercept) && (nt).intercept != (ot).intercept) || \ + (TAG_SET((nt).log_input) && (nt).log_input != (ot).log_input) || \ + (TAG_SET((nt).log_output) && (nt).log_output != (ot).log_output) || \ + (TAG_SET((nt).noexec) && (nt).noexec != (ot).noexec) || \ + (TAG_SET((nt).nopasswd) && (nt).nopasswd != (ot).nopasswd) || \ + (TAG_SET((nt).setenv) && (nt).setenv != (ot).setenv) || \ + (TAG_SET((nt).send_mail) && (nt).send_mail != (ot).send_mail)) + sv sw ta te tg th tr uk ur vi wa wo zh_CN zh_HK + if (!PyArg_ParseTupleAndKeywords(py_args ? py_args : py_empty, py_kwargs, "Ois|i:sudo.ConvMessage", (char **)keywords, + $ans = <STDIN>; + if ($ans =~ /^[yY]/) { +.nr BA @BAMAN@ +.if \n(BA \{\ +.Nd convert between sudoers file formats +.Nd configuration for sudo front-end +.Nd execute a command as another user +.Nd Sudo log server protocol +.Nd configuration for sudo_logsrvd +.Nd sudo event and I/O log server +.Nd Sudo Plugin API +.Nd Sudo Plugin API (Python) +.Nd send sudo I/O log to log server +.Nd sudo LDAP configuration +.Nd default sudo security policy plugin +.Nd Sudoers Time Stamp Format +.Nd replay sudo session logs +.Nd edit the sudoers file + * If path doesn't end in /, return true iff cmnd & path name the same inode; + * Tim Fraser + echo ".Nd sudo" >> conftest diff --git a/etc/codespell.ignore b/etc/codespell.ignore new file mode 100644 index 0000000..d242e62 --- /dev/null +++ b/etc/codespell.ignore @@ -0,0 +1,16 @@ +SOM +VAS +alloced +edn +fIDN +ist +numer +pleas +sav +statics +thur +toke +vas +wit +siz +clen diff --git a/etc/codespell.skip b/etc/codespell.skip new file mode 100644 index 0000000..bbf3d02 --- /dev/null +++ b/etc/codespell.skip @@ -0,0 +1,25 @@ +\.in\.sed$ +/data +Makefile\.in +^ChangeLog$ +^MANIFEST$ +^aclocal\.m4$ +^autogen\.sh$ +^config\.h\.in$ +^configure$ +^docs/.*\.man\.in$ +^docs/CONTRIBUTORS$ +^etc/codespell +^lib/util/fnmatch\.c$ +^lib/util/getaddrinfo\.c$ +^lib/zlib/ +^libtool$ +^m4/libtool\.m4$ +^m4/lt.*\.m4$ +^plugins/sudoers/po/ +^po/ +^scripts/config\.guess$ +^scripts/config\.sub$ +^scripts/ltmain\.sh$ +^scripts/mkinstalldirs$ +^scripts/pp$ diff --git a/etc/init.d/aix.sh.in b/etc/init.d/aix.sh.in new file mode 100644 index 0000000..3d11241 --- /dev/null +++ b/etc/init.d/aix.sh.in @@ -0,0 +1,25 @@ +#!/bin/sh +# +# Simple AIX rc.d script to remove the sudo timestamp directory on boot. +# This is needed because AIX does not have /var/run. +# Install as /etc/rc.d/init.d/sudo with a link /etc/rc.d/rc2.d/S90sudo +# + +PATH=/usr/sbin:/usr/bin:/sbin +export PATH + +TSDIR="@rundir@/ts" +rval=0 + +case "$1" in +start) + echo "Removing the $TSDIR directory" + rm -rf "$TSDIR" + ;; +*) + echo "usage: $0 start" + rval=1 + ;; +esac + +exit $rval diff --git a/etc/init.d/hpux.sh.in b/etc/init.d/hpux.sh.in new file mode 100644 index 0000000..5a76bd2 --- /dev/null +++ b/etc/init.d/hpux.sh.in @@ -0,0 +1,27 @@ +#!/sbin/sh +# +# Simple HP-UX init.d script to remove the sudo timestamp directory on boot. +# This is needed because HP-UX does not clear /var/run on its own. +# Install as /sbin/init.d/sudo with a link /sbin/rc2.d/S900sudo +# + +PATH=/usr/sbin:/usr/bin:/sbin +export PATH + +TSDIR="@rundir@/ts" +rval=0 + +case "$1" in +start_msg) + echo "Removing the $TSDIR directory" + ;; +start) + rm -rf "$TSDIR" + ;; +*) + echo "usage: $0 {start|start_msg}" + rval=1 + ;; +esac + +exit $rval diff --git a/etc/init.d/sudo.conf.in b/etc/init.d/sudo.conf.in new file mode 100644 index 0000000..dfae56b --- /dev/null +++ b/etc/init.d/sudo.conf.in @@ -0,0 +1,6 @@ +# Create an empty sudo time stamp directory on OSes using systemd. +# Sudo will create the directory itself but this can cause problems +# on systems that have SELinux enabled since the directories will be +# created with the user's security context. +d @rundir@ 0711 root root +D @rundir@/ts 0700 root root diff --git a/etc/macos-background.png b/etc/macos-background.png Binary files differnew file mode 100644 index 0000000..4153667 --- /dev/null +++ b/etc/macos-background.png diff --git a/etc/sudo-logsrvd.pp b/etc/sudo-logsrvd.pp new file mode 100644 index 0000000..242b219 --- /dev/null +++ b/etc/sudo-logsrvd.pp @@ -0,0 +1,272 @@ +%set + name="sudo-logsrvd" + summary="Sudo event and I/O log server" + description="The sudo_logsrvd daemon collects event and I/O logs \ +from sudo clients. +This makes it possible to have all sudo I/O logs on a central server." + vendor="Todd C. Miller" + copyright="(c) 2019-2021 Todd C. Miller" + +%if [aix] + # Convert to 4 part version for AIX, including patch level + pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'` + + # Don't allow sudo to prompt for a password + pp_aix_sudo="sudo -n" +%endif + +%if [sd] + pp_sd_vendor_tag="TCM" +%endif + +%if [solaris] + pp_solaris_name="TCM${name}" + pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"` +%endif + +%if [macos] + # System Integrity Protection on macOS won't allow us to write + # directly to /etc or /var. We must install in /private instead. + case "$sysconfdir" in + /etc|/etc/*) + mkdir -p ${pp_destdir}/private + chmod 755 ${pp_destdir}/private + if test -d ${pp_destdir}/etc; then + mv ${pp_destdir}/etc ${pp_destdir}/private/etc + fi + sysconfdir="/private${sysconfdir}" + ;; + esac + case "$vardir" in + /var|/var/*) + mkdir -p ${pp_destdir}/private + chmod 755 ${pp_destdir}/private + if test -d ${pp_destdir}/var; then + mv ${pp_destdir}/var ${pp_destdir}/private/var + fi + vardir="/private${vardir}" + ;; + esac + case "$rundir" in + /var|/var/*) + mkdir -p ${pp_destdir}/private + chmod 755 ${pp_destdir}/private + if test -d ${pp_destdir}/var; then + mv ${pp_destdir}/var ${pp_destdir}/private/var + fi + rundir="/private${rundir}" + ;; + esac +%endif + +%if [rpm,deb] + # Convert patch level into release and remove from version + pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`" + pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`" + pp_rpm_license="BSD" + pp_rpm_url="https://www.sudo.ws" + pp_rpm_group="Applications/System" + pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>" +%else + # We install sudo_logsrvd.conf from the example dir during post-install + rm -f ${pp_destdir}$sysconfdir/sudo_logsrvd.conf +%endif + + # Stash original docdir and exampledir + odocdir="${docdir}" + oexampledir="${exampledir}" + + # docdir and exampledir are installed with "sudo" as the package + # name which may not be correct. + docdir="`echo \"${docdir}\" | sed 's#/sudo$#/'\"${name}\"'#'`" + if test "${exampledir}" = "${odocdir}/examples"; then + exampledir="${docdir}/examples" + else + exampledir="`echo \"${exampledir}\" | sed 's#/sudo$#/'\"${name}\"'#'`" + fi + + # For RedHat the doc dir is expected to include version and release + case "$pp_rpm_distro" in + centos*|rhel*|f[0-9]*) + docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}" + exampledir="${docdir}/examples" + ;; + esac + + # Copy docdir and exampledir to new names if needed + if test ! -d "${pp_destdir}${docdir}"; then + cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir} + find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup + fi + if test ! -d "${pp_destdir}${exampledir}"; then + cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir} + find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup + fi + +%if [deb] + pp_deb_maintainer="$pp_rpm_packager" + pp_deb_release="$pp_rpm_release" + pp_deb_version="$pp_rpm_version" + pp_deb_section=admin + install -D -m 644 ${pp_destdir}$docdir/LICENSE.md ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright + install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog + gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog + printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + # Create lintian override file + mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides + cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF + # Sudo ships with debugging symbols + $name: unstripped-binary-or-object + EOF + chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} + # If libssl_dep not passed in, try to figure it out + if test -z "$libssl_dep"; then + libssl_dep="`ldd $libexecdir/sudo/sudoers.so 2>&1 | sed -n 's/^[ ]*libssl\.so\([0-9.]*\).*/libssl\1/p'`" + fi +%endif + +%if [rpm] + # Add distro info to release + osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'` + case "$pp_rpm_distro" in + centos*|rhel*|f[0-9]*) + # CentOS Stream has a single-digit version + if test $osrelease -lt 10; then + osrelease="${osrelease}0" + fi + pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}" + ;; + sles*) + pp_rpm_release="$pp_rpm_release.sles$osrelease" + ;; + esac +%endif + +%if [macos] + pp_macos_pkg_type=flat + pp_macos_bundle_id=ws.sudo.pkg.sudo-logsrvd + pp_macos_pkg_background=${srcdir}/etc/macos-background.png + pp_macos_pkg_background_dark=${srcdir}/etc/macos-background.png + pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE.md + pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt + perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt +%endif + +%if X"$aix_freeware" = X"true" + # Create links from /opt/freeware/sbin -> /usr/sbin + mkdir -p ${pp_destdir}/usr/sbin + ln -s -f ${sbindir}/sudo_logsrvd ${pp_destdir}/usr/sbin +%endif + +%if [!rpm,deb] + # Package parent directories when not installing under /usr + if test "${prefix}" != "/usr"; then + extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"` + extradirs="$extradirs `dirname $docdir` `dirname $rundir`" + test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`" + for dir in $sbindir $extradirs; do + while test "$dir" != "/"; do + parentdirs="${parentdirs}${parentdirs+ }$dir/" + dir=`dirname $dir` + done + done + parentdirs=`echo $parentdirs | tr " " "\n" | sort -u` + fi +%endif + +%depend [deb] + libc6, zlib1g, sudo + +%fixup [deb] + if test -n "%{libssl_dep}"; then + DEPENDS="%{libssl_dep}" + cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$ + sed "s/^\(Depends:.*\) *$/\1, ${DEPENDS}/" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control + rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$ + fi + echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control + echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control + +%fixup [rpm] + cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF' + /^%files/ { + i\ + %clean\ + :\ + + } + EOF + mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak + sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec + +%files + /** ignore +%if X"$parentdirs" != X"" + $parentdirs - ignore-others +%endif + $sbindir/sudo_logsrvd 0755 ignore-others + $mandir/man*/*logsrv* 0644 ignore-others + $rundir/ 0711 root: ignore-others + $docdir/ 0755 ignore-others + $exampledir/ 0755 ignore-others + $exampledir/*logsrv* 0644 ignore-others +%if [rpm,deb] + $sysconfdir/sudo_logsrvd.conf 0644 root: volatile,ignore-others +%endif +%if X"$aix_freeware" = X"true" + # Links for binaries from /opt/freeware to /usr + /usr/sbin/sudo_logsrvd 0755 root: symlink,ignore-others $sbindir/logsrvd +%endif + +%post [!rpm,deb] + # Don't overwrite existing sudo_logsrvd.conf files +%if [solaris] + sysconfdir=${PKG_INSTALL_ROOT}%{sysconfdir} + exampledir=${PKG_INSTALL_ROOT}%{exampledir} +%else + sysconfdir=%{sysconfdir} + exampledir=%{exampledir} +%endif + if test ! -r $sysconfdir/sudo_logsrvd.conf; then + cp $exampledir/sudo_logsrvd.conf $sysconfdir/sudo_logsrvd.conf + chmod 644 $sysconfdir/sudo_logsrvd.conf + chown root $sysconfdir/sudo_logsrvd.conf + fi + +%service sudo_logsrvd +%if [aix,macos] + cmd="${sbindir}/sudo_logsrvd -n" +%else + cmd=${sbindir}/sudo_logsrvd + pidfile=${rundir}/sudo_logsrvd.pid +%endif +%if [macos] + pp_macos_service_id=ws.sudo.sudo_logsrvd +%endif +%if [rpm,deb] + # Only include systemd support if it exists on the build machine. + # This assumes that we are building on the same distro that the + # package will be installed on (which is the case for sudo). + if test -d /etc/systemd; then + for d in `pkg-config systemd --variable=systemdsystemunitdir 2>/dev/null` /lib/systemd/system /usr/lib/systemd/system; do + if test -d "$d"; then + break + fi + done + pp_systemd_service_description="Sudo central log server" + pp_systemd_service_dir="$d" + pp_systemd_service_exec="${cmd}" + pp_systemd_service_exec_args="-n" + pp_systemd_service_man="man:sudo_logsrvd(8) man:sudo_logsrvd.conf(5)" + pp_systemd_service_documentation="https://www.sudo.ws/man.html" + pp_systemd_service_after="syslog.target network.target auditd.service" + pp_systemd_service_killmode="process" + pp_systemd_service_type="exec" + pp_systemd_system_target="multi-user.target" + else + # No systemd support + pp_systemd_disabled=true + fi +%endif diff --git a/etc/sudo-python.pp b/etc/sudo-python.pp new file mode 100644 index 0000000..9250da4 --- /dev/null +++ b/etc/sudo-python.pp @@ -0,0 +1,161 @@ +%set + name="sudo-python" + summary="Sudo Python plugin framework" + description="The sudo Python plugin allows you to extend sudo using Python." + vendor="Todd C. Miller" + copyright="(c) 2019-2021 Todd C. Miller" + +%if [aix] + # Convert to 4 part version for AIX, including patch level + pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'` + + # Don't allow sudo to prompt for a password + pp_aix_sudo="sudo -n" +%endif + +%if [sd] + pp_sd_vendor_tag="TCM" +%endif + +%if [solaris] + pp_solaris_name="TCM${name}" + pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"` +%endif + +%if [rpm,deb] + # Convert patch level into release and remove from version + pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`" + pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`" + pp_rpm_license="BSD" + pp_rpm_url="https://www.sudo.ws" + pp_rpm_group="Applications/System" + pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>" +%endif + + # Stash original docdir and exampledir + odocdir="${docdir}" + oexampledir="${exampledir}" + + # docdir and exampledir are installed with "sudo" as the package + # name which may not be correct. + docdir="`echo \"${docdir}\" | sed 's#/sudo$#/'\"${name}\"'#'`" + if test "${exampledir}" = "${odocdir}/examples"; then + exampledir="${docdir}/examples" + else + exampledir="`echo \"${exampledir}\" | sed 's#/sudo$#/'\"${name}\"'#'`" + fi + + # For RedHat the doc dir is expected to include version and release + case "$pp_rpm_distro" in + centos*|rhel*|f[0-9]*) + docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}" + exampledir="${docdir}/examples" + ;; + esac + + # Copy docdir and exampledir to new names if needed + if test ! -d "${pp_destdir}${docdir}"; then + cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir} + find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup + fi + if test ! -d "${pp_destdir}${exampledir}"; then + cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir} + find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup + fi + +%if [deb] + pp_deb_maintainer="$pp_rpm_packager" + pp_deb_release="$pp_rpm_release" + pp_deb_version="$pp_rpm_version" + pp_deb_section=admin + install -D -m 644 ${pp_destdir}$docdir/LICENSE.md ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright + install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog + gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog + printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + # Create lintian override file + mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides + cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF + # Sudo ships with debugging symbols + $name: unstripped-binary-or-object + EOF + chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} +%endif + +%if [rpm] + # Add distro info to release + osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'` + case "$pp_rpm_distro" in + centos*|rhel*|f[0-9]*) + # CentOS Stream has a single-digit version + if test $osrelease -lt 10; then + osrelease="${osrelease}0" + fi + pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}" + ;; + sles*) + pp_rpm_release="$pp_rpm_release.sles$osrelease" + ;; + esac +%endif + +%if [macos] + pp_macos_pkg_type=flat + pp_macos_bundle_id=ws.sudo.pkg.sudo-python + pp_macos_pkg_background=${srcdir}/etc/macos-background.png + pp_macos_pkg_background_dark=${srcdir}/etc/macos-background.png + pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE.md + pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt + perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt +%endif + +%if [!rpm,deb] + # Package parent directories when not installing under /usr + if test "${prefix}" != "/usr"; then + extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"` + extradirs="$extradirs `dirname $docdir`" + test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`" + for dir in $libexecdir $extradirs; do + while test "$dir" != "/"; do + parentdirs="${parentdirs}${parentdirs+ }$dir/" + dir=`dirname $dir` + done + done + parentdirs=`echo $parentdirs | tr " " "\n" | sort -u` + fi +%endif + +%depend [deb] + libc6, libpython@PYTHON_VERSION@, sudo + +%fixup [deb] + cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$ + sed "s/@PYTHON_VERSION@/%{python_version}/g" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control + rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$ + echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control + echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control + +%fixup [rpm] + cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF' + /^%files/ { + i\ + %clean\ + :\ + + } + EOF + mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak + sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec + +%files + /** ignore +%if X"$parentdirs" != X"" + $parentdirs - ignore-others +%endif + $libexecdir/sudo/ 0755 ignore-others + $libexecdir/sudo/python* $shlib_mode ignore-others + $docdir/ 0755 ignore-others + $exampledir/ 0755 ignore-others + $exampledir/*.py 0644 ignore-others + $mandir/man*/*python* 0644 ignore-others diff --git a/etc/sudo.pp b/etc/sudo.pp new file mode 100644 index 0000000..4dd5e7c --- /dev/null +++ b/etc/sudo.pp @@ -0,0 +1,571 @@ +%set + if test -n "$flavor"; then + name="sudo-$flavor" + else + name="sudo" + fi + summary="Provide limited super-user privileges to specific users" + description="Sudo is a program designed to allow a sysadmin to give \ +limited root privileges to users and log root activity. \ +The basic philosophy is to give as few privileges as possible but \ +still allow people to get their work done." + vendor="Todd C. Miller" + copyright="(c) 1993-1996,1998-2021 Todd C. Miller" + sudoedit_man=`echo ${pp_destdir}$mandir/*/sudoedit.*|sed "s:^${pp_destdir}::"` + sudoedit_man_target=`basename $sudoedit_man | sed 's/edit//'` + +%if [aix] + # AIX package summary is limited to 40 characters + summary="Configurable super-user privileges" + + # Convert to 4 part version for AIX, including patch level + pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'` + + # Don't allow sudo to prompt for a password + pp_aix_sudo="sudo -n" +%endif + +%if [sd] + pp_sd_vendor_tag="TCM" +%endif + +%if [solaris] + pp_solaris_name="TCM${name}" + pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"` +%endif + +%if [macos] + # System Integrity Protection on macOS won't allow us to write + # directly to /etc or /var. We must install in /private instead. + case "$sysconfdir" in + /etc|/etc/*) + mkdir -p ${pp_destdir}/private + chmod 755 ${pp_destdir}/private + if test -d ${pp_destdir}/etc; then + mv ${pp_destdir}/etc ${pp_destdir}/private/etc + fi + sysconfdir="/private${sysconfdir}" + ;; + esac + case "$vardir" in + /var|/var/*) + mkdir -p ${pp_destdir}/private + chmod 755 ${pp_destdir}/private + if test -d ${pp_destdir}/var; then + mv ${pp_destdir}/var ${pp_destdir}/private/var + fi + vardir="/private${vardir}" + ;; + esac + case "$rundir" in + /var|/var/*) + mkdir -p ${pp_destdir}/private + chmod 755 ${pp_destdir}/private + if test -d ${pp_destdir}/var; then + mv ${pp_destdir}/var ${pp_destdir}/private/var + fi + rundir="/private${rundir}" + ;; + esac +%endif + +%if [rpm,deb] + # Convert patch level into release and remove from version + pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)$' \| 0 \) + 1`" + pp_rpm_version="`expr \( $version : '\(.*\)p[0-9][0-9]*$' \| $version \)`" + pp_rpm_license="BSD" + pp_rpm_url="https://www.sudo.ws" + pp_rpm_group="Applications/System" + pp_rpm_packager="Todd C. Miller <Todd.Miller@sudo.ws>" + if test -n "$linux_audit"; then + pp_rpm_requires="audit-libs >= $linux_audit" + fi + # The package manager will handle an existing sudoers file + rm -f ${pp_destdir}${sysconfdir}/sudoers.dist +%else + # For all but RPM and Debian we copy sudoers in a post-install script. + rm -f ${pp_destdir}${sysconfdir}/sudoers + # We install sudo.conf from the example dir in a post-install script. + rm -f ${pp_destdir}${sysconfdir}/sudo.conf +%endif + + # Stash original docdir and exampledir + odocdir="${docdir}" + oexampledir="${exampledir}" + + # For RedHat the doc dir is expected to include version and release + case "$pp_rpm_distro" in + centos*|rhel*|f[0-9]*) + docdir="${docdir}-${pp_rpm_version}-${pp_rpm_release}" + exampledir="${docdir}/examples" + ;; + esac + + if test -n "$flavor"; then + # docdir and exampledir are installed with "sudo" as the package + # name which is not be correct for flavors. + docdir="`echo \"${docdir}\" | sed \"s#/sudo#/${name}#g\"`" + exampledir="`echo \"${exampledir}\" | sed \"s#/sudo#/${name}#g\"`" + fi + + # Copy docdir and exampledir to new names if needed + if test ! -d "${pp_destdir}${docdir}"; then + cp -R ${pp_destdir}${odocdir} ${pp_destdir}${docdir} + find ${pp_destdir}${docdir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup + fi + if test ! -d "${pp_destdir}${exampledir}"; then + cp -R ${pp_destdir}${oexampledir} ${pp_destdir}${exampledir} + find ${pp_destdir}${exampledir} -depth | sed "s#^${pp_destdir}##" >> ${pp_wrkdir}/pp_cleanup + fi + +%if [deb] + pp_deb_maintainer="$pp_rpm_packager" + pp_deb_release="$pp_rpm_release" + pp_deb_version="$pp_rpm_version" + pp_deb_section=admin + install -D -m 644 ${pp_destdir}$docdir/LICENSE.md ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright + install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog + gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog + printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n * see upstream changelog\n\n -- $pp_deb_maintainer `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian + # Create lintian override file, must be tab indented for "<<-" + mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides + cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF + # The sudo binary must be setuid root + $name: setuid-binary usr/bin/sudo 4755 root/root + # Sudo configuration and data dirs must not be world-readable + $name: non-standard-file-perm etc/sudoers 0440 != 0644 + $name: non-standard-dir-perm etc/sudoers.d/ 0750 != 0755 + $name: non-standard-dir-perm var/lib/sudo/ 0700 != 0755 + # Sudo ships with debugging symbols + $name: unstripped-binary-or-object + EOF + chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} + # If libssl_dep not passed in, try to figure it out + if test -z "$libssl_dep"; then + libssl_dep="`ldd $libexecdir/sudo/sudoers.so 2>&1 | sed -n 's/^[ ]*libssl\.so\([0-9.]*\).*/libssl\1/p'`" + fi +%endif + +%if [rpm] + # Add distro info to release + osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*\([0-9]\{1,2\}\).*/\1/'` + case "$pp_rpm_distro" in + centos*|rhel*|f[0-9]*) + # CentOS Stream has a single-digit version + if test $osrelease -lt 10; then + osrelease="${osrelease}0" + fi + pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}" + ;; + sles*) + pp_rpm_release="$pp_rpm_release.sles$osrelease" + ;; + esac + + # Uncomment some Defaults in sudoers + case "$pp_rpm_distro" in + centos*|rhel*|f[0-9]*) + sed -e '/Locale settings/{ N;s/\(\n\)# /\1/; }' -e '/Desktop path settings/{ N;s/\(\n\)# /\1/; }' -e '/allow members of group wheel to execute any command/{ N;s/\(\n\)# /\1/; }' ${pp_destdir}${sysconfdir}/sudoers > ${pp_destdir}${sysconfdir}/sudoers.$$ + mv -f ${pp_destdir}${sysconfdir}/sudoers.$$ ${pp_destdir}${sysconfdir}/sudoers + ;; + sles*) + sed -e '/Locale settings/{ N;s/\(\n\)# /\1/; }' -e '/ConsoleKit session/{ N;s/\(\n\)# /\1/; }' -e '/allow any user to run sudo if they know the password/{ N;N;N;s/\(\n\)# /\1/g; }' ${pp_destdir}${sysconfdir}/sudoers > ${pp_destdir}${sysconfdir}/sudoers.$$ + mv -f ${pp_destdir}${sysconfdir}/sudoers.$$ ${pp_destdir}${sysconfdir}/sudoers + ;; + esac + + # Choose the correct PAM file by distro, must be tab indented for "<<-" + case "$pp_rpm_distro" in + centos*|rhel*) + mkdir -p ${pp_destdir}/etc/pam.d + if test $osrelease -lt 50; then + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth required pam_stack.so service=system-auth + account required pam_stack.so service=system-auth + password required pam_stack.so service=system-auth + session required pam_limits.so + EOF + else + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth include system-auth + account include system-auth + password include system-auth + session optional pam_keyinit.so revoke + session required pam_limits.so + EOF + cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF + #%PAM-1.0 + auth include sudo + account include sudo + password include sudo + session optional pam_keyinit.so force revoke + session required pam_limits.so + EOF + fi + ;; + f[0-9]*) + # XXX - share with rhel + mkdir -p ${pp_destdir}/etc/pam.d + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth include system-auth + account include system-auth + password include system-auth + session optional pam_keyinit.so revoke + session required pam_limits.so + EOF + cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF + #%PAM-1.0 + auth include sudo + account include sudo + password include sudo + session optional pam_keyinit.so force revoke + session required pam_limits.so + EOF + ;; + sles*) + mkdir -p ${pp_destdir}/etc/pam.d + if test $osrelease -lt 10; then + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth required pam_unix2.so + session required pam_limits.so + EOF + else + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth include common-auth + account include common-account + password include common-password + session include common-session + # session optional pam_xauth.so + EOF + fi + ;; + esac +%endif + +%if [deb] + # Uncomment some Defaults and the %sudo rule in sudoers + sed -e '/Locale settings/{ N;s/\(\n\)# /\1/; }' -e '/X11 resource/{ N;s/\(\n\)# /\1/; }' -e 's/^# \(Defaults secure_path\)/\1/' -e 's/^# \(Defaults mail_badpass\)/\1/' -e 's/^# \(\%sudo\)/\1/' ${pp_destdir}${sysconfdir}/sudoers > ${pp_destdir}${sysconfdir}/sudoers.$$ + mv -f ${pp_destdir}${sysconfdir}/sudoers.$$ ${pp_destdir}${sysconfdir}/sudoers + mkdir -p ${pp_destdir}/etc/pam.d + # Create Debian PAM file, must be tab indented for "<<-" + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + + @include common-auth + @include common-account + + session required pam_permit.so + session required pam_limits.so + EOF +%endif + +%if [macos] + pp_macos_pkg_type=flat + pp_macos_bundle_id=ws.sudo.pkg.sudo + pp_macos_pkg_background=${srcdir}/etc/macos-background.png + pp_macos_pkg_background_dark=${srcdir}/etc/macos-background.png + pp_macos_pkg_license=${pp_destdir}$docdir/LICENSE.md + pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt + perl -pe 'last if (/^What/i && $seen++)' ${pp_destdir}$docdir/NEWS > ${pp_wrkdir}/ReadMe.txt +%endif + +%if X"$aix_freeware" = X"true" + # Create links from /opt/freeware/{bin,sbin} -> /usr/{bin,sbin} + mkdir -p ${pp_destdir}/usr/bin ${pp_destdir}/usr/sbin + ln -s -f ${bindir}/cvtsudoers ${pp_destdir}/usr/bin + ln -s -f ${bindir}/sudo ${pp_destdir}/usr/bin + ln -s -f ${bindir}/sudoedit ${pp_destdir}/usr/bin + ln -s -f ${bindir}/sudoreplay ${pp_destdir}/usr/bin + ln -s -f ${sbindir}/sudo_sendlog ${pp_destdir}/usr/sbin + ln -s -f ${sbindir}/visudo ${pp_destdir}/usr/sbin +%endif + +%if [!rpm,deb] + # Package parent directories when not installing under /usr + if test "${prefix}" != "/usr"; then + extradirs=`echo ${pp_destdir}${mandir}/[mc]* | sed "s#${pp_destdir}##g"` + extradirs="$extradirs `dirname $docdir` `dirname $rundir` `dirname $vardir`" + test "`dirname $exampledir`" != "$docdir" && extradirs="$extradirs `dirname $exampledir`" + test -d ${pp_destdir}${localedir} && extradirs="$extradirs $localedir" + for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do + while test "$dir" != "/"; do + parentdirs="${parentdirs}${parentdirs+ }$dir/" + dir=`dirname $dir` + done + done + parentdirs=`echo $parentdirs | tr " " "\n" | sort -u` + fi +%endif + +%depend [deb] + libc6, libpam0g, libpam-modules, zlib1g, libapparmor1 + +%fixup [deb] + # Add Conflicts, Replaces headers and add libldap dependency as needed. + DEPENDS="%{linux_audit}" + if test -z "%{flavor}"; then + echo "Conflicts: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control + echo "Replaces: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control + elif test "%{flavor}" = "ldap"; then + echo "Conflicts: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control + echo "Replaces: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control + echo "Provides: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control + DEPENDS="${DEPENDS}${DEPENDS:+, }libldap-2.4-2" + fi + if test -n "%{libssl_dep}"; then + DEPENDS="${DEPENDS}${DEPENDS:+, }%{libssl_dep}" + fi + cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$ + if test -n "${DEPENDS}"; then + sed "s/^\(Depends:.*\) *$/\1, ${DEPENDS}/" %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control + fi + rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$ + echo "Homepage: https://www.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control + echo "Bugs: https://bugzilla.sudo.ws" >> %{pp_wrkdir}/%{name}/DEBIAN/control + +%fixup [rpm] + # Must be tab indented for "<<-". + cat > %{pp_wrkdir}/${name}.spec.sed <<-'EOF' + /^%files/ { + i\ + %clean\ + :\ + + } + EOF + mv %{pp_wrkdir}/${name}.spec %{pp_wrkdir}/${name}.spec.bak + sed -f %{pp_wrkdir}/${name}.spec.sed %{pp_wrkdir}/${name}.spec.bak > %{pp_wrkdir}/${name}.spec + +%files +%if X"$parentdirs" != X"" + $parentdirs - +%endif +%if X"$odocdir" != X"$docdir" + $odocdir/ ignore + $odocdir/** ignore +%endif +%if X"$oexampledir" != X"$exampledir" -a X"$exampledir" != X"$docdir/examples" + $oexampledir/ ignore + $oexampledir/** ignore +%endif + $bindir/cvtsudoers 0755 root: + $bindir/sudo 4755 root: + $bindir/sudoedit 0755 root: symlink sudo + $bindir/sudoreplay 0755 + $sbindir/sudo_sendlog 0755 + $sbindir/sudo_logsrvd optional,ignore + $sbindir/visudo 0755 + $includedir/sudo_plugin.h 0644 + $libexecdir/sudo/ 0755 + $libexecdir/sudo/sesh 0755 optional,ignore-others + $libexecdir/sudo/python* optional,ignore,ignore-others + $libexecdir/sudo/* $shlib_mode optional + $sysconfdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid + $rundir/ 0711 root: + $vardir/ 0711 root: ignore-others + $vardir/lectured/ 0700 root: + $docdir/ 0755 + $docdir/** 0644 +%if [deb] + $docdir/LICENSE.md ignore,ignore-others + $docdir/ChangeLog ignore,ignore-others +%endif + $exampledir/ 0755 ignore-others +%if X"$exampledir" != X"$docdir/examples" + $exampledir/* 0644 +%endif + $exampledir/sudo_logsrv* optional,ignore,ignore-others + $exampledir/*.py optional,ignore,ignore-others + $localedir/*/ - optional + $localedir/*/LC_MESSAGES/ - optional + $localedir/*/LC_MESSAGES/* 0644 optional + /etc/pam.d/* 0644 volatile,optional +%if [rpm,deb] + $sysconfdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile + $sysconfdir/sudo.conf 0644 root: volatile +%else + $sysconfdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid +%endif + $sysconfdir/sudo_logsrvd.conf optional,ignore,ignore-others +%if X"$aix_freeware" = X"true" + # Links for binaries from /opt/freeware to /usr + /usr/bin/cvtsudoers 0755 root: symlink $bindir/cvtsudoers + /usr/bin/sudo 0755 root: symlink $bindir/sudo + /usr/bin/sudoedit 0755 root: symlink $bindir/sudoedit + /usr/bin/sudoreplay 0755 root: symlink $bindir/sudoreplay + /usr/sbin/sudo_sendlog 0755 root: symlink $sbindir/sendlog + /usr/sbin/visudo 0755 root: symlink $sbindir/visudo +%endif +%if [rpm] + /etc/rc.d/init.d/sudo 0755 root: optional +%endif +%if [aix] + /etc/rc.d/ ignore + /etc/rc.d/rc2.d/ ignore + /etc/rc.d/rc2.d/** ignore + /etc/rc.d/init.d/ ignore + /etc/rc.d/init.d/sudo 0755 root: +%endif +%if [sd] + /sbin/ ignore + /sbin/rc2.d/ ignore + /sbin/rc2.d/** ignore + /sbin/init.d/ ignore + /sbin/init.d/sudo 0755 root: +%endif + $mandir/man*/* 0644 + $mandir/man*/sudo_logsrv* ignore,ignore-others + $mandir/man*/*python* ignore,ignore-others + $sudoedit_man 0644 symlink,ignore-others $sudoedit_man_target + +%pre [aix] + if rpm -q %{name} >/dev/null 2>&1; then + echo "Another version of sudo is currently installed via rpm." 2>&1 + echo "Please either uninstall the rpm version of sudo by running \"rpm -e sudo\"" 2>&1 + echo "or upgrade the existing version of sudo using the .rpm packagae instead" 2>&1 + echo "instead of the .bff package." 2>&1 + echo "" 2>&1 + echo "Note that you may need to pass rpm the --oldpackage flag when upgrading" 2>&1 + echo "the AIX Toolbox version of sudo to the latest sudo rpm from sudo.ws." 2>&1 + echo "" 2>&1 + exit 1 + fi + +%post [!rpm,deb] + # Don't overwrite existing sudoers or sudo.conf files +%if [solaris] + sysconfdir=${PKG_INSTALL_ROOT}%{sysconfdir} + exampledir=${PKG_INSTALL_ROOT}%{exampledir} +%else + sysconfdir=%{sysconfdir} + exampledir=%{exampledir} +%endif + if test ! -r $sysconfdir/sudoers; then + cp $sysconfdir/sudoers.dist $sysconfdir/sudoers + chmod %{sudoers_mode} $sysconfdir/sudoers + chown %{sudoers_uid} $sysconfdir/sudoers + chgrp %{sudoers_gid} $sysconfdir/sudoers + fi + if test ! -r $sysconfdir/sudo.conf; then + cp $exampledir/sudo.conf $sysconfdir/sudo.conf + chmod 644 $sysconfdir/sudo.conf + chown root $sysconfdir/sudo.conf + fi + +%post [deb] + set -e + + # dpkg-deb does not maintain the mode on the sudoers file, and + # installs it 0640 when sudo requires 0440 + chmod %{sudoers_mode} %{sysconfdir}/sudoers + + # create symlink to ease transition to new path for ldap config + # if old config file exists and new one doesn't + if test X"%{flavor}" = X"ldap" -a \ + -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then + ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf + fi + + # Debian uses a sudo group in its default sudoers file + perl -e ' + exit 0 if getgrnam("sudo"); + $gid = 27; # default debian sudo gid + setgrent(); + while (getgrgid($gid)) { $gid++; } + if ($gid != 27) { + print "On Debian we normally use gid 27 for \"sudo\".\n"; + $gname = getgrgid(27); + print "However, on your system gid 27 is group \"$gname\".\n\n"; + print "Would you like me to stop configuring sudo so that you can change this? [n] "; + $ans = <STDIN>; + if ($ans =~ /^[yY]/) { + print "\"dpkg --pending --configure\" will restart the configuration.\n\n"; + exit 1; + } + } + print "Creating group \"sudo\" with gid = $gid\n"; + system("groupadd -g $gid sudo"); + exit 0; + ' + +%post [rpm] + case "%{pp_rpm_distro}" in + aix*) + # Create /etc/rc.d/rc2.d/S90sudo link if possible + if [ -d /etc/rc.d/rc2.d ]; then + rm -f /etc/rc.d/rc2.d/S90sudo + ln -s /etc/rc.d/init.d/sudo /etc/rc.d/rc2.d/S90sudo + fi + ;; + esac + +%post [rpm,deb] + # Create /usr/lib/tmpfiles.d/sudo.conf if systemd is configured. + # Must be tab indented for "<<-". + if [ -f /usr/lib/tmpfiles.d/systemd.conf ]; then + cat > /usr/lib/tmpfiles.d/sudo.conf <<-EOF + # Create an empty sudo time stamp directory on OSes using systemd. + # Sudo will create the directory itself but this can cause problems + # on systems that have SELinux enabled since the directories will be + # created with the user's security context. + d %{rundir} 0711 root root + D %{rundir}/ts 0700 root root + EOF + fi + +%post [aix] + # Create /etc/rc.d/rc2.d/S90sudo link if /etc/rc.d exists + if [ -d /etc/rc.d ]; then + rm -f /etc/rc.d/rc2.d/S90sudo + ln -s /etc/rc.d/init.d/sudo /etc/rc.d/rc2.d/S90sudo + fi + +%post [sd] + # Create /sbin/rc2.d/S900sudo link + rm -f /sbin/rc2.d/S900sudo + ln -s /sbin/init.d/sudo /sbin/rc2.d/S900sudo + +%preun + # Remove the time stamp dir and its contents + # We currently leave the lecture status files installed + rm -rf %{rundir}/ts +%if [deb] + set -e + + # Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if + # it matches what we created in the postinstall script. + if test X"%{flavor}" = X"ldap" -a \ + X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then + rm -f /etc/sudo-ldap.conf + fi + + # Remove systemd tmpfile config + rm -f /usr/lib/tmpfiles.d/sudo.conf +%endif +%if [rpm] + case "%{pp_rpm_distro}" in + aix*) + # Remove /etc/rc.d/rc2.d/S90sudo link + rm -f /etc/rc.d/rc2.d/S90sudo + ;; + *) + # Remove systemd tmpfile config + rm -f /usr/lib/tmpfiles.d/sudo.conf + ;; + esac +%endif +%if [aix] + # Remove /etc/rc.d/rc2.d/S90sudo link + rm -f /etc/rc.d/rc2.d/S90sudo +%endif +%if [sd] + # Remove /sbin/rc2.d/S900sudo link + rm -f /sbin/rc2.d/S900sudo +%endif |