* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/
@ 2016-03-08 15:04 Doug Goldstein
0 siblings, 0 replies; 8+ messages in thread
From: Doug Goldstein @ 2016-03-08 15:04 UTC (permalink / raw
To: gentoo-commits
commit: 21f8d167c044a4a6846b97ce78c7e52ce7497936
Author: Doug Goldstein <cardoe <AT> gentoo <DOT> org>
AuthorDate: Tue Mar 8 15:03:42 2016 +0000
Commit: Doug Goldstein <cardoe <AT> gentoo <DOT> org>
CommitDate: Tue Mar 8 15:04:11 2016 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=21f8d167
app-admin/sudo: remove vulnerable versions
Clean up versions vulnerable to CVE-2015-5602
Gentoo-Bug: 564774
Package-Manager: portage-2.2.26
Signed-off-by: Doug Goldstein <cardoe <AT> gentoo.org>
app-admin/sudo/Manifest | 2 -
.../files/sudo-1.8.12-include-sys-types-h.patch | 146 ---------------
app-admin/sudo/sudo-1.8.12.ebuild | 197 ---------------------
app-admin/sudo/sudo-1.8.14_p3.ebuild | 196 --------------------
4 files changed, 541 deletions(-)
diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index 91f8db9..185cd43 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,3 +1 @@
-DIST sudo-1.8.12.tar.gz 2493373 SHA256 163b51841de8ad19276581a6782d61f5948f1f72a0a843371a1c167d3dc4f3b0 SHA512 1815343eceb7cfa6e37c961ce1c68cf96fc290356b92078d6d24a2c85d8b7a7236df78d3ff7f5e30eba492dc8407346d884e01c0b989eef4414156cfec80b67b WHIRLPOOL 0d9e618937a08b9bf74aaebf12f5b9f96afd827728f90fa95b6a2a4f932cc84240d56674aa903062247068ec5aa3369b14bad64130caeb313330286510c2d3f6
-DIST sudo-1.8.14p3.tar.gz 2570892 SHA256 a8a697cbb113859058944850d098464618254804cf97961dee926429f00a1237 SHA512 022e75a4171c0d9b87569adc5b08afc1b8f2adb7dbc6c80dfb737029dbca560a08e317ce37f117b614f36b54666ed01559a72d0c92523a5a2ee3531f520d7a2b WHIRLPOOL 143ff1c464b539e79172cd0340a089739207d2b99fc01d183a27b24b5172c834d6ed0f7258116542ffa559a3a4c3540924261170655dd7bedb449f8d93496bbd
DIST sudo-1.8.15.tar.gz 2660128 SHA256 4316381708324da8b6cb151f655c1a11855207c7c02244d8ffdea5104d7cc308 SHA512 f2bff92104ddc4cbea8c788da446043cbfe02c977cedf18d46b1c82e98d7227432cb5a61233e7a06af84e3637f906edd5e02bb88c03a2ce4a16df410469a5dab WHIRLPOOL 3da64eda51f22d7fc0ea76f0693e9960d511b7c762b5d6237318d17436fd64b58ae90caa9bf4e125ebee70b83eac7cba2c7451fb62fafd8ee3d133c4ae2037b9
diff --git a/app-admin/sudo/files/sudo-1.8.12-include-sys-types-h.patch b/app-admin/sudo/files/sudo-1.8.12-include-sys-types-h.patch
deleted file mode 100644
index f337486..0000000
--- a/app-admin/sudo/files/sudo-1.8.12-include-sys-types-h.patch
+++ /dev/null
@@ -1,146 +0,0 @@
-This fixes builds on uClibc and musl. See
-https://bugs.gentoo.org/show_bug.cgi?id=544756
-
-This patch is a slight modification of uptream commits:
-http://www.sudo.ws/repos/sudo/rev/86eb67f3c41a
-http://www.sudo.ws/repos/sudo/rev/e0794f05e95c
-
-diff -Naur sudo-1.8.12.orig/lib/util/getopt_long.c sudo-1.8.12/lib/util/getopt_long.c
---- sudo-1.8.12.orig/lib/util/getopt_long.c 2015-02-09 18:40:10.000000000 +0000
-+++ sudo-1.8.12/lib/util/getopt_long.c 2015-04-10 19:21:20.337032782 +0000
-@@ -52,6 +52,7 @@
-
- #include <config.h>
-
-+#include <sys/types.h>
- #include <stdio.h>
- #ifdef STDC_HEADERS
- # include <stdlib.h>
-diff -Naur sudo-1.8.12.orig/lib/util/mksiglist.c sudo-1.8.12/lib/util/mksiglist.c
---- sudo-1.8.12.orig/lib/util/mksiglist.c 2015-02-09 18:40:10.000000000 +0000
-+++ sudo-1.8.12/lib/util/mksiglist.c 2015-04-10 19:22:38.719856268 +0000
-@@ -43,6 +43,7 @@
- #include "mksiglist.h"
-
- printf("#include <config.h>\n");
-+ printf("#include <sys/types.h>\n");
- printf("#include <signal.h>\n");
- printf("#include \"sudo_compat.h\"\n\n");
- printf("const char *const sudo_sys_siglist[NSIG] = {\n");
-diff -Naur sudo-1.8.12.orig/lib/util/mksigname.c sudo-1.8.12/lib/util/mksigname.c
---- sudo-1.8.12.orig/lib/util/mksigname.c 2015-02-09 18:40:10.000000000 +0000
-+++ sudo-1.8.12/lib/util/mksigname.c 2015-04-10 19:22:10.738491394 +0000
-@@ -43,6 +43,7 @@
- #include "mksigname.h"
-
- printf("#include <config.h>\n");
-+ printf("#include <sys/types.h>\n");
- printf("#include <signal.h>\n");
- printf("#include \"sudo_compat.h\"\n\n");
- printf("const char *const sudo_sys_signame[NSIG] = {\n");
-diff -Naur sudo-1.8.12.orig/lib/util/regress/fnmatch/fnm_test.c sudo-1.8.12/lib/util/regress/fnmatch/fnm_test.c
---- sudo-1.8.12.orig/lib/util/regress/fnmatch/fnm_test.c 2015-02-09 18:40:10.000000000 +0000
-+++ sudo-1.8.12/lib/util/regress/fnmatch/fnm_test.c 2015-04-10 19:21:20.340032928 +0000
-@@ -6,6 +6,7 @@
-
- #include <config.h>
-
-+#include <sys/types.h>
- #include <stdio.h>
- #include <stdlib.h>
- #ifdef HAVE_STRING_H
-diff -Naur sudo-1.8.12.orig/lib/util/regress/glob/globtest.c sudo-1.8.12/lib/util/regress/glob/globtest.c
---- sudo-1.8.12.orig/lib/util/regress/glob/globtest.c 2015-02-09 18:40:10.000000000 +0000
-+++ sudo-1.8.12/lib/util/regress/glob/globtest.c 2015-04-10 19:21:20.341032977 +0000
-@@ -6,6 +6,7 @@
-
- #include <config.h>
-
-+#include <sys/types.h>
- #include <stdio.h>
- #include <stdlib.h>
- #ifdef HAVE_STRING_H
-diff -Naur sudo-1.8.12.orig/lib/util/sha2.c sudo-1.8.12/lib/util/sha2.c
---- sudo-1.8.12.orig/lib/util/sha2.c 2015-02-09 18:40:09.000000000 +0000
-+++ sudo-1.8.12/lib/util/sha2.c 2015-04-10 19:21:20.342033026 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013 Todd C. Miller <Todd.Miller@courtesan.com>
-+ * Copyright (c) 2013-2015 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -25,6 +25,7 @@
-
- #include <config.h>
-
-+#include <sys/types.h>
- #include <stdio.h>
- #ifdef STDC_HEADERS
- # include <stdlib.h>
-diff -Naur sudo-1.8.12.orig/plugins/sudoers/regress/parser/check_base64.c sudo-1.8.12/plugins/sudoers/regress/parser/check_base64.c
---- sudo-1.8.12.orig/plugins/sudoers/regress/parser/check_base64.c 2015-02-09 18:40:10.000000000 +0000
-+++ sudo-1.8.12/plugins/sudoers/regress/parser/check_base64.c 2015-04-10 19:21:20.342033026 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013 Todd C. Miller <Todd.Miller@courtesan.com>
-+ * Copyright (c) 2013-2015 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -16,6 +16,7 @@
-
- #include <config.h>
-
-+#include <sys/types.h>
- #include <stdio.h>
- #ifdef STDC_HEADERS
- # include <stdlib.h>
-diff -Naur sudo-1.8.12.orig/plugins/sudoers/regress/parser/check_digest.c sudo-1.8.12/plugins/sudoers/regress/parser/check_digest.c
---- sudo-1.8.12.orig/plugins/sudoers/regress/parser/check_digest.c 2015-02-09 18:40:10.000000000 +0000
-+++ sudo-1.8.12/plugins/sudoers/regress/parser/check_digest.c 2015-04-10 19:21:20.343033075 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2013 Todd C. Miller <Todd.Miller@courtesan.com>
-+ * Copyright (c) 2013-2015 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -16,6 +16,7 @@
-
- #include <config.h>
-
-+#include <sys/types.h>
- #include <stdio.h>
- #ifdef STDC_HEADERS
- # include <stdlib.h>
-diff -Naur sudo-1.8.12.orig/plugins/sudoers/regress/parser/check_hexchar.c sudo-1.8.12/plugins/sudoers/regress/parser/check_hexchar.c
---- sudo-1.8.12.orig/plugins/sudoers/regress/parser/check_hexchar.c 2015-02-09 18:40:10.000000000 +0000
-+++ sudo-1.8.12/plugins/sudoers/regress/parser/check_hexchar.c 2015-04-10 19:21:20.344033124 +0000
-@@ -1,5 +1,5 @@
- /*
-- * Copyright (c) 2014 Todd C. Miller <Todd.Miller@courtesan.com>
-+ * Copyright (c) 2014-2015 Todd C. Miller <Todd.Miller@courtesan.com>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -16,6 +16,7 @@
-
- #include <config.h>
-
-+#include <sys/types.h>
- #include <stdio.h>
- #ifdef STDC_HEADERS
- # include <stdlib.h>
-diff -Naur sudo-1.8.12.orig/plugins/sudoers/solaris_audit.c sudo-1.8.12/plugins/sudoers/solaris_audit.c
---- sudo-1.8.12.orig/plugins/sudoers/solaris_audit.c 2015-02-09 18:53:54.000000000 +0000
-+++ sudo-1.8.12/plugins/sudoers/solaris_audit.c 2015-04-10 19:21:20.345033172 +0000
-@@ -15,6 +15,8 @@
- */
-
- #include <config.h>
-+
-+#include <sys/types.h>
- #include <stdarg.h>
- #include <stdio.h>
- #include <stdlib.h>
diff --git a/app-admin/sudo/sudo-1.8.12.ebuild b/app-admin/sudo/sudo-1.8.12.ebuild
deleted file mode 100644
index d1ed25e..0000000
--- a/app-admin/sudo/sudo-1.8.12.ebuild
+++ /dev/null
@@ -1,197 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-inherit eutils pam multilib libtool
-
-MY_P=${P/_/}
-MY_P=${MY_P/beta/b}
-
-uri_prefix=
-case ${P} in
-*_beta*|*_rc*) uri_prefix=beta/ ;;
-esac
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="http://www.sudo.ws/"
-SRC_URI="http://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-KEYWORDS="alpha amd64 arm ~arm64 hppa ia64 ~m68k ~mips ppc ppc64 ~s390 ~sh sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~sparc-solaris"
-IUSE="ldap nls pam offensive selinux skey +sendmail"
-
-DEPEND="pam? ( virtual/pam )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- ldap? (
- >=net-nds/openldap-2.1.30-r1
- dev-libs/cyrus-sasl
- )
- sys-libs/zlib"
-RDEPEND="${DEPEND}
- selinux? ( sec-policy/selinux-sudo )
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- >=app-misc/editor-wrapper-3
- virtual/editor
- sendmail? ( virtual/mta )"
-DEPEND="${DEPEND}
- sys-devel/bison"
-
-S=${WORKDIR}/${MY_P}
-
-REQUIRED_USE="pam? ( !skey ) skey? ( !pam )"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
- epatch "${FILESDIR}"/${P}-include-sys-types-h.patch
- elibtoolize
-}
-
-set_rootpath() {
- # FIXME: secure_path is a compile time setting. using ROOTPATH
- # is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- ROOTPATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
- if [[ -z ${ROOTPATH} ]] ; then
- ewarn " Failed to find ROOTPATH, please report this"
- fi
-
- # then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:$thisp
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- ROOTPATH=${newpath#:}
- }
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}}
-
- # finally, strip gcc paths #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${ROOTPATH} ; do
- for e ; do [[ $thisp == $e ]] && continue 2 ; done
- newpath+=:$thisp
- done
- ROOTPATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
-}
-
-src_configure() {
- local ROOTPATH
- set_rootpath
-
- # audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- econf \
- --enable-zlib=system \
- --with-secure-path="${ROOTPATH}" \
- --with-editor="${EPREFIX}"/usr/libexec/editor \
- --with-env-editor \
- $(use_with offensive insults) \
- $(use_with offensive all-insults) \
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
- $(use_with ldap) \
- $(use_enable nls) \
- $(use_with pam) \
- $(use_with skey) \
- $(use_with selinux) \
- $(use_with sendmail) \
- --without-opie \
- --without-linux-audit \
- --with-rundir="${EPREFIX}"/var/run/sudo \
- --with-vardir="${EPREFIX}"/var/db/sudo \
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo \
- --docdir="${EPREFIX}"/usr/share/doc/${PF}
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP doc/schema.OpenLDAP
- dosbin plugins/sudoers/sudoers2ldif
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
- EOF
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
- fi
-
- pamd_mimic system-auth sudo auth account session
-
- keepdir /var/db/sudo
- fperms 0700 /var/db/sudo
-
- # Don't install into /var/run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${D}"/var/run
-}
-
-pkg_postinst() {
- if use ldap ; then
- ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-1.8.14_p3.ebuild b/app-admin/sudo/sudo-1.8.14_p3.ebuild
deleted file mode 100644
index c4e80af..0000000
--- a/app-admin/sudo/sudo-1.8.14_p3.ebuild
+++ /dev/null
@@ -1,196 +0,0 @@
-# Copyright 1999-2015 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-# $Id$
-
-EAPI=5
-
-inherit eutils pam multilib libtool
-
-MY_P=${P/_/}
-MY_P=${MY_P/beta/b}
-
-uri_prefix=
-case ${P} in
-*_beta*|*_rc*) uri_prefix=beta/ ;;
-esac
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="http://www.sudo.ws/"
-SRC_URI="http://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-KEYWORDS="~alpha amd64 ~arm ~arm64 hppa ~ia64 ~m68k ~mips ~ppc ppc64 ~s390 ~sh ~sparc x86 ~amd64-fbsd ~sparc-fbsd ~x86-fbsd ~x64-freebsd ~sparc-solaris"
-IUSE="ldap nls pam offensive selinux skey +sendmail"
-
-DEPEND="pam? ( virtual/pam )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- ldap? (
- >=net-nds/openldap-2.1.30-r1
- dev-libs/cyrus-sasl
- )
- sys-libs/zlib"
-RDEPEND="${DEPEND}
- selinux? ( sec-policy/selinux-sudo )
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- >=app-misc/editor-wrapper-3
- virtual/editor
- sendmail? ( virtual/mta )"
-DEPEND="${DEPEND}
- sys-devel/bison"
-
-S=${WORKDIR}/${MY_P}
-
-REQUIRED_USE="pam? ( !skey ) skey? ( !pam )"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
- elibtoolize
-}
-
-set_rootpath() {
- # FIXME: secure_path is a compile time setting. using ROOTPATH
- # is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- ROOTPATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
- if [[ -z ${ROOTPATH} ]] ; then
- ewarn " Failed to find ROOTPATH, please report this"
- fi
-
- # then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:$thisp
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- ROOTPATH=${newpath#:}
- }
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}}
-
- # finally, strip gcc paths #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${ROOTPATH} ; do
- for e ; do [[ $thisp == $e ]] && continue 2 ; done
- newpath+=:$thisp
- done
- ROOTPATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
-}
-
-src_configure() {
- local ROOTPATH
- set_rootpath
-
- # audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- econf \
- --enable-zlib=system \
- --with-secure-path="${ROOTPATH}" \
- --with-editor="${EPREFIX}"/usr/libexec/editor \
- --with-env-editor \
- $(use_with offensive insults) \
- $(use_with offensive all-insults) \
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
- $(use_with ldap) \
- $(use_enable nls) \
- $(use_with pam) \
- $(use_with skey) \
- $(use_with selinux) \
- $(use_with sendmail) \
- --without-opie \
- --without-linux-audit \
- --with-rundir="${EPREFIX}"/var/run/sudo \
- --with-vardir="${EPREFIX}"/var/db/sudo \
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo \
- --docdir="${EPREFIX}"/usr/share/doc/${PF}
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP doc/schema.OpenLDAP
- dosbin plugins/sudoers/sudoers2ldif
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
- EOF
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
- fi
-
- pamd_mimic system-auth sudo auth account session
-
- keepdir /var/db/sudo
- fperms 0700 /var/db/sudo
-
- # Don't install into /var/run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${D}"/var/run
-}
-
-pkg_postinst() {
- if use ldap ; then
- ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/
@ 2019-11-07 9:54 Lars Wendler
0 siblings, 0 replies; 8+ messages in thread
From: Lars Wendler @ 2019-11-07 9:54 UTC (permalink / raw
To: gentoo-commits
commit: c11c2b56f0938b3f3c0d46c8b17af61bae075174
Author: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Thu Nov 7 09:52:58 2019 +0000
Commit: Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Thu Nov 7 09:54:22 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c11c2b56
app-admin/sudo: Revbumps to fix error message with USE="-pam"
Reported-by: Saul Peebsen <jaglover <AT> gmail.com>
Tested-by: Saul Peebsen <jaglover <AT> gmail.com>
Closes: https://bugs.gentoo.org/698946
Package-Manager: Portage-2.3.78, Repoman-2.3.17
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>
.../sudo-1.8.28-no_pam_error_message_fix.patch | 46 ++++++++++++++++++++++
....8.28_p1-r1.ebuild => sudo-1.8.28_p1-r2.ebuild} | 4 ++
...sudo-1.8.29-r1.ebuild => sudo-1.8.29-r2.ebuild} | 4 ++
3 files changed, 54 insertions(+)
diff --git a/app-admin/sudo/files/sudo-1.8.28-no_pam_error_message_fix.patch b/app-admin/sudo/files/sudo-1.8.28-no_pam_error_message_fix.patch
new file mode 100644
index 00000000000..6931ea26c3b
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.8.28-no_pam_error_message_fix.patch
@@ -0,0 +1,46 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1573059314 25200
+# Node ID f85ff5ee2caf19cefca67ae49c1d6048d61125cb
+# Parent 5cdcfd9a6c33a157a12f1b1893e397c3198b206b
+Do not warn about a missing /etc/environment file on Linux without PAM.
+Bug #907
+
+diff -r 5cdcfd9a6c33 -r f85ff5ee2caf plugins/sudoers/env.c
+--- a/plugins/sudoers/env.c Tue Nov 05 15:18:34 2019 -0700
++++ b/plugins/sudoers/env.c Wed Nov 06 09:55:14 2019 -0700
+@@ -940,7 +940,8 @@
+ #endif /* HAVE_LOGIN_CAP_H */
+ #if defined(_AIX) || (defined(__linux__) && !defined(HAVE_PAM))
+ /* Insert system-wide environment variables. */
+- read_env_file(_PATH_ENVIRONMENT, true, false);
++ if (!read_env_file(_PATH_ENVIRONMENT, true, false))
++ sudo_warn("%s", _PATH_ENVIRONMENT);
+ #endif
+ for (ep = env.envp; *ep; ep++)
+ env_update_didvar(*ep, &didvar);
+@@ -1218,8 +1219,10 @@
+ efl = calloc(1, sizeof(*efl));
+ if (efl != NULL) {
+ if ((efl->fp = fopen(path, "r")) == NULL) {
+- free(efl);
+- efl = NULL;
++ if (errno != ENOENT) {
++ free(efl);
++ efl = NULL;
++ }
+ }
+ }
+ debug_return_ptr(efl);
+@@ -1259,6 +1262,9 @@
+ debug_decl(env_file_next_local, SUDOERS_DEBUG_ENV)
+
+ *errnum = 0;
++ if (efl->fp == NULL)
++ debug_return_ptr(NULL);
++
+ for (;;) {
+ if (sudo_parseln(&efl->line, &efl->linesize, NULL, efl->fp, PARSELN_CONT_IGN) == -1) {
+ if (!feof(efl->fp))
+
diff --git a/app-admin/sudo/sudo-1.8.28_p1-r1.ebuild b/app-admin/sudo/sudo-1.8.28_p1-r2.ebuild
similarity index 98%
rename from app-admin/sudo/sudo-1.8.28_p1-r1.ebuild
rename to app-admin/sudo/sudo-1.8.28_p1-r2.ebuild
index 06397f8cdcb..4c371226f1d 100644
--- a/app-admin/sudo/sudo-1.8.28_p1-r1.ebuild
+++ b/app-admin/sudo/sudo-1.8.28_p1-r2.ebuild
@@ -75,6 +75,10 @@ REQUIRED_USE="
MAKEOPTS+=" SAMPLES="
+PATCHES=(
+ "${FILESDIR}/${PN}-1.8.28-no_pam_error_message_fix.patch" #698946
+)
+
src_prepare() {
default
elibtoolize
diff --git a/app-admin/sudo/sudo-1.8.29-r1.ebuild b/app-admin/sudo/sudo-1.8.29-r2.ebuild
similarity index 98%
rename from app-admin/sudo/sudo-1.8.29-r1.ebuild
rename to app-admin/sudo/sudo-1.8.29-r2.ebuild
index 4aba6ef09a1..3f019d90fd0 100644
--- a/app-admin/sudo/sudo-1.8.29-r1.ebuild
+++ b/app-admin/sudo/sudo-1.8.29-r2.ebuild
@@ -75,6 +75,10 @@ REQUIRED_USE="
MAKEOPTS+=" SAMPLES="
+PATCHES=(
+ "${FILESDIR}/${PN}-1.8.28-no_pam_error_message_fix.patch" #698946
+)
+
src_prepare() {
default
elibtoolize
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/
@ 2020-03-30 15:21 Thomas Deutschmann
0 siblings, 0 replies; 8+ messages in thread
From: Thomas Deutschmann @ 2020-03-30 15:21 UTC (permalink / raw
To: gentoo-commits
commit: 28909837d2ce52371aac93d39b0f79297aad09f3
Author: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
AuthorDate: Mon Mar 30 15:21:30 2020 +0000
Commit: Thomas Deutschmann <whissi <AT> gentoo <DOT> org>
CommitDate: Mon Mar 30 15:21:49 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=28909837
app-admin/sudo: security cleanup
Bug: https://bugs.gentoo.org/707574
Package-Manager: Portage-2.3.96, Repoman-2.3.22
Signed-off-by: Thomas Deutschmann <whissi <AT> gentoo.org>
app-admin/sudo/Manifest | 3 -
.../sudo-1.8.28-no_pam_error_message_fix.patch | 46 ----
app-admin/sudo/sudo-1.8.28_p1-r2.ebuild | 267 ---------------------
app-admin/sudo/sudo-1.8.29-r2.ebuild | 267 ---------------------
app-admin/sudo/sudo-1.8.30.ebuild | 263 --------------------
5 files changed, 846 deletions(-)
diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index 5c165d2900f..223a348e808 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,5 +1,2 @@
-DIST sudo-1.8.28p1.tar.gz 3310254 BLAKE2B a1810af7a42d05cce49bb9d0acf6f3731a5193e9e9c3b458691379131eb86d36995854d11c09525e8d999ed1da7e99cf170634667c5a444aa522b8f23db7d1aa SHA512 bda3de34c15fbb68fc29759542295560ccc1562b419d03709cea51613937e9b92ba689c79c3ef4858aeea90d3d1a4dc0148225b11b22cf82395ae1bad8cb1734
-DIST sudo-1.8.29.tar.gz 3338260 BLAKE2B 7ba29d155bfb1d7ba20e32ade2e8ee3919e70400b6c235e313052b247b48406b9a051e71daa7e47fdb0a9fd0889f4c05b8a1a170c027503b90081e8cec81660e SHA512 ea780922b2afb47df4df4b533fb355fd916cb18a6bfd13c7ca36a25b03ef585d805648c6fa85692bea363b1f83664ac3bc622f99bcd149b3a86f70522eb4d340
-DIST sudo-1.8.30.tar.gz 3349455 BLAKE2B 5e0aaa41f42c18cd0de473add3665adf797cd37eacfb4abfc9472814ea679c1e88e28e95e13a73eb7d9648174609d80a2d4eccf3bdf87a44186df07aeba60eee SHA512 d44831feabd92d736614239e0e0f086829d84b213c98524fffb4b926a96715b1156538a7ab5e0b6e0db8be67a6e24a1642b3648105b076d23b58c39d0dd947af
DIST sudo-1.8.31.tar.gz 3350674 BLAKE2B de5a968732fdd58933b4c513d13c43a08cb50075a00c3e0d338c9892570a416a2b3a8f19940c0893715f4eeab991e804831a87ef656ffd91e7f1ba047c119261 SHA512 b9e408a322938c7a712458e9012d8a5f648fba5b23a5057cf5d8372c7f931262595f1575c32c32b9cb1a04af670ff4611e7df48d197e5c4cc038d6b65439a28a
DIST sudo-1.8.31p1.tar.gz 3351312 BLAKE2B 85775ef574a3a1a9cc749809fe81f8350f7a4e3f46a905bc3392790b20bb7bc8e3c99fb504e01776f3a92aa6afa7972d3ff1c071aadd3a08ee1d2281f8b9ba50 SHA512 9344fd1d8a8445e8afb9c5628cdc832fe32ea29199f071f35fb6ec694371801556df560f4382afec199f468b1f3264ad5e3a89e964612e571b8d911f823724cc
diff --git a/app-admin/sudo/files/sudo-1.8.28-no_pam_error_message_fix.patch b/app-admin/sudo/files/sudo-1.8.28-no_pam_error_message_fix.patch
deleted file mode 100644
index 6931ea26c3b..00000000000
--- a/app-admin/sudo/files/sudo-1.8.28-no_pam_error_message_fix.patch
+++ /dev/null
@@ -1,46 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@sudo.ws>
-# Date 1573059314 25200
-# Node ID f85ff5ee2caf19cefca67ae49c1d6048d61125cb
-# Parent 5cdcfd9a6c33a157a12f1b1893e397c3198b206b
-Do not warn about a missing /etc/environment file on Linux without PAM.
-Bug #907
-
-diff -r 5cdcfd9a6c33 -r f85ff5ee2caf plugins/sudoers/env.c
---- a/plugins/sudoers/env.c Tue Nov 05 15:18:34 2019 -0700
-+++ b/plugins/sudoers/env.c Wed Nov 06 09:55:14 2019 -0700
-@@ -940,7 +940,8 @@
- #endif /* HAVE_LOGIN_CAP_H */
- #if defined(_AIX) || (defined(__linux__) && !defined(HAVE_PAM))
- /* Insert system-wide environment variables. */
-- read_env_file(_PATH_ENVIRONMENT, true, false);
-+ if (!read_env_file(_PATH_ENVIRONMENT, true, false))
-+ sudo_warn("%s", _PATH_ENVIRONMENT);
- #endif
- for (ep = env.envp; *ep; ep++)
- env_update_didvar(*ep, &didvar);
-@@ -1218,8 +1219,10 @@
- efl = calloc(1, sizeof(*efl));
- if (efl != NULL) {
- if ((efl->fp = fopen(path, "r")) == NULL) {
-- free(efl);
-- efl = NULL;
-+ if (errno != ENOENT) {
-+ free(efl);
-+ efl = NULL;
-+ }
- }
- }
- debug_return_ptr(efl);
-@@ -1259,6 +1262,9 @@
- debug_decl(env_file_next_local, SUDOERS_DEBUG_ENV)
-
- *errnum = 0;
-+ if (efl->fp == NULL)
-+ debug_return_ptr(NULL);
-+
- for (;;) {
- if (sudo_parseln(&efl->line, &efl->linesize, NULL, efl->fp, PARSELN_CONT_IGN) == -1) {
- if (!feof(efl->fp))
-
diff --git a/app-admin/sudo/sudo-1.8.28_p1-r2.ebuild b/app-admin/sudo/sudo-1.8.28_p1-r2.ebuild
deleted file mode 100644
index 47224e32f95..00000000000
--- a/app-admin/sudo/sudo-1.8.28_p1-r2.ebuild
+++ /dev/null
@@ -1,267 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool tmpfiles
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
- inherit mercurial
- EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
- uri_prefix=
- case ${P} in
- *_beta*|*_rc*) uri_prefix=beta/ ;;
- esac
-
- SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
- if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha amd64 arm arm64 hppa ia64 m68k ~mips ppc ppc64 s390 sparc x86 ~sparc-solaris"
- fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey sssd system-digest"
-
-DEPEND="
- sys-libs/zlib:=
- ldap? (
- >=net-nds/openldap-2.1.30-r1
- sasl? (
- dev-libs/cyrus-sasl
- net-nds/openldap[sasl]
- )
- )
- pam? ( sys-libs/pam )
- sasl? ( dev-libs/cyrus-sasl )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- sssd? ( sys-auth/sssd[sudo] )
- system-digest? (
- gcrypt? ( dev-libs/libgcrypt:= )
- !gcrypt? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
- )
-"
-RDEPEND="
- ${DEPEND}
- >=app-misc/editor-wrapper-3
- virtual/editor
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- selinux? ( sec-policy/selinux-sudo )
- sendmail? ( virtual/mta )
-"
-BDEPEND="
- sys-devel/bison
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
- pam? ( !skey )
- skey? ( !pam )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-PATCHES=(
- "${FILESDIR}/${PN}-1.8.28-no_pam_error_message_fix.patch" #698946
-)
-
-src_prepare() {
- default
- elibtoolize
-}
-
-set_secure_path() {
- # FIXME: secure_path is a compile time setting. using PATH or
- # ROOTPATH is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
- echo "${ROOTPATH}")
- case "${SECURE_PATH}" in
- */usr/sbin*) ;;
- *) SECURE_PATH=$(unset PATH;
- . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
- if [[ -z ${SECURE_PATH} ]] ; then
- ewarn " Failed to detect SECURE_PATH, please report this"
- fi
-
- # then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:${thisp}
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- SECURE_PATH=${newpath#:}
- }
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
- # finally, strip gcc paths #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${SECURE_PATH} ; do
- for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
- newpath+=:${thisp}
- done
- SECURE_PATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
-}
-
-src_configure() {
- local SECURE_PATH
- set_secure_path
-
- # audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- myeconfargs=(
- --enable-zlib=system
- --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
- --with-editor="${EPREFIX}"/usr/libexec/editor
- --with-env-editor
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
- --with-rundir="${EPREFIX}"/run/sudo
- $(use_with secure-path secure-path "${SECURE_PATH}")
- --with-vardir="${EPREFIX}"/var/db/sudo
- --without-linux-audit
- --without-opie
- $(use_enable gcrypt)
- $(use_enable nls)
- $(use_enable sasl)
- $(use_with offensive insults)
- $(use_with offensive all-insults)
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
- $(use_with ldap)
- $(use_with pam)
- $(use_with skey)
- $(use_with sssd)
- $(use_with selinux)
- $(use_with sendmail)
- )
-
- if use system-digest && ! use gcrypt; then
- myeconfargs+=("--enable-openssl")
- else
- myeconfargs+=("--disable-openssl")
- fi
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
- EOF
-
- if use sasl ; then
- cat <<-EOF >> "${T}"/ldap.conf.sudo
-
- # SASL directives: use_sasl, sasl_mech, sasl_auth_id
- # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
- EOF
- fi
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
-
- insinto /etc/openldap/schema
- newins doc/schema.OpenLDAP sudo.schema
- fi
-
- pamd_mimic system-auth sudo auth account session
-
- keepdir /var/db/sudo/lectured
- fperms 0700 /var/db/sudo/lectured
- fperms 0711 /var/db/sudo #652958
-
- # Don't install into /run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${ED}"/run
-
- find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
- tmpfiles_process sudo.conf
-
- #652958
- local sudo_db="${EROOT}/var/db/sudo"
- if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
- chmod 711 "${sudo_db}" || die
- fi
-
- if use ldap ; then
- ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-1.8.29-r2.ebuild b/app-admin/sudo/sudo-1.8.29-r2.ebuild
deleted file mode 100644
index da5146b1241..00000000000
--- a/app-admin/sudo/sudo-1.8.29-r2.ebuild
+++ /dev/null
@@ -1,267 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool tmpfiles
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
- inherit mercurial
- EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
- uri_prefix=
- case ${P} in
- *_beta*|*_rc*) uri_prefix=beta/ ;;
- esac
-
- SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
- if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris"
- fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey sssd system-digest"
-
-DEPEND="
- sys-libs/zlib:=
- ldap? (
- >=net-nds/openldap-2.1.30-r1
- sasl? (
- dev-libs/cyrus-sasl
- net-nds/openldap[sasl]
- )
- )
- pam? ( sys-libs/pam )
- sasl? ( dev-libs/cyrus-sasl )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- sssd? ( sys-auth/sssd[sudo] )
- system-digest? (
- gcrypt? ( dev-libs/libgcrypt:= )
- !gcrypt? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
- )
-"
-RDEPEND="
- ${DEPEND}
- >=app-misc/editor-wrapper-3
- virtual/editor
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- selinux? ( sec-policy/selinux-sudo )
- sendmail? ( virtual/mta )
-"
-BDEPEND="
- sys-devel/bison
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
- pam? ( !skey )
- skey? ( !pam )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-PATCHES=(
- "${FILESDIR}/${PN}-1.8.28-no_pam_error_message_fix.patch" #698946
-)
-
-src_prepare() {
- default
- elibtoolize
-}
-
-set_secure_path() {
- # FIXME: secure_path is a compile time setting. using PATH or
- # ROOTPATH is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
- echo "${ROOTPATH}")
- case "${SECURE_PATH}" in
- */usr/sbin*) ;;
- *) SECURE_PATH=$(unset PATH;
- . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
- if [[ -z ${SECURE_PATH} ]] ; then
- ewarn " Failed to detect SECURE_PATH, please report this"
- fi
-
- # then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:${thisp}
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- SECURE_PATH=${newpath#:}
- }
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
- # finally, strip gcc paths #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${SECURE_PATH} ; do
- for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
- newpath+=:${thisp}
- done
- SECURE_PATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
-}
-
-src_configure() {
- local SECURE_PATH
- set_secure_path
-
- # audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- myeconfargs=(
- --enable-zlib=system
- --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
- --with-editor="${EPREFIX}"/usr/libexec/editor
- --with-env-editor
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
- --with-rundir="${EPREFIX}"/run/sudo
- $(use_with secure-path secure-path "${SECURE_PATH}")
- --with-vardir="${EPREFIX}"/var/db/sudo
- --without-linux-audit
- --without-opie
- $(use_enable gcrypt)
- $(use_enable nls)
- $(use_enable sasl)
- $(use_with offensive insults)
- $(use_with offensive all-insults)
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
- $(use_with ldap)
- $(use_with pam)
- $(use_with skey)
- $(use_with sssd)
- $(use_with selinux)
- $(use_with sendmail)
- )
-
- if use system-digest && ! use gcrypt; then
- myeconfargs+=("--enable-openssl")
- else
- myeconfargs+=("--disable-openssl")
- fi
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
- EOF
-
- if use sasl ; then
- cat <<-EOF >> "${T}"/ldap.conf.sudo
-
- # SASL directives: use_sasl, sasl_mech, sasl_auth_id
- # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
- EOF
- fi
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
-
- insinto /etc/openldap/schema
- newins doc/schema.OpenLDAP sudo.schema
- fi
-
- pamd_mimic system-auth sudo auth account session
-
- keepdir /var/db/sudo/lectured
- fperms 0700 /var/db/sudo/lectured
- fperms 0711 /var/db/sudo #652958
-
- # Don't install into /run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${ED}"/run
-
- find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
- tmpfiles_process sudo.conf
-
- #652958
- local sudo_db="${EROOT}/var/db/sudo"
- if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
- chmod 711 "${sudo_db}" || die
- fi
-
- if use ldap ; then
- ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-1.8.30.ebuild b/app-admin/sudo/sudo-1.8.30.ebuild
deleted file mode 100644
index f0df8a6c9e2..00000000000
--- a/app-admin/sudo/sudo-1.8.30.ebuild
+++ /dev/null
@@ -1,263 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool tmpfiles
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
- inherit mercurial
- EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
- uri_prefix=
- case ${P} in
- *_beta*|*_rc*) uri_prefix=beta/ ;;
- esac
-
- SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
- if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris"
- fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey sssd system-digest"
-
-DEPEND="
- sys-libs/zlib:=
- ldap? (
- >=net-nds/openldap-2.1.30-r1
- sasl? (
- dev-libs/cyrus-sasl
- net-nds/openldap[sasl]
- )
- )
- pam? ( sys-libs/pam )
- sasl? ( dev-libs/cyrus-sasl )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- sssd? ( sys-auth/sssd[sudo] )
- system-digest? (
- gcrypt? ( dev-libs/libgcrypt:= )
- !gcrypt? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
- )
-"
-RDEPEND="
- ${DEPEND}
- >=app-misc/editor-wrapper-3
- virtual/editor
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- selinux? ( sec-policy/selinux-sudo )
- sendmail? ( virtual/mta )
-"
-BDEPEND="
- sys-devel/bison
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
- pam? ( !skey )
- skey? ( !pam )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
- default
- elibtoolize
-}
-
-set_secure_path() {
- # FIXME: secure_path is a compile time setting. using PATH or
- # ROOTPATH is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
- echo "${ROOTPATH}")
- case "${SECURE_PATH}" in
- */usr/sbin*) ;;
- *) SECURE_PATH=$(unset PATH;
- . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
- if [[ -z ${SECURE_PATH} ]] ; then
- ewarn " Failed to detect SECURE_PATH, please report this"
- fi
-
- # then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:${thisp}
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- SECURE_PATH=${newpath#:}
- }
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
- # finally, strip gcc paths #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${SECURE_PATH} ; do
- for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
- newpath+=:${thisp}
- done
- SECURE_PATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
-}
-
-src_configure() {
- local SECURE_PATH
- set_secure_path
-
- # audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- myeconfargs=(
- --enable-zlib=system
- --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
- --with-editor="${EPREFIX}"/usr/libexec/editor
- --with-env-editor
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
- --with-rundir="${EPREFIX}"/run/sudo
- $(use_with secure-path secure-path "${SECURE_PATH}")
- --with-vardir="${EPREFIX}"/var/db/sudo
- --without-linux-audit
- --without-opie
- $(use_enable gcrypt)
- $(use_enable nls)
- $(use_enable sasl)
- $(use_with offensive insults)
- $(use_with offensive all-insults)
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
- $(use_with ldap)
- $(use_with pam)
- $(use_with skey)
- $(use_with sssd)
- $(use_with selinux)
- $(use_with sendmail)
- )
-
- if use system-digest && ! use gcrypt; then
- myeconfargs+=("--enable-openssl")
- else
- myeconfargs+=("--disable-openssl")
- fi
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
- EOF
-
- if use sasl ; then
- cat <<-EOF >> "${T}"/ldap.conf.sudo
-
- # SASL directives: use_sasl, sasl_mech, sasl_auth_id
- # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
- EOF
- fi
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
-
- insinto /etc/openldap/schema
- newins doc/schema.OpenLDAP sudo.schema
- fi
-
- pamd_mimic system-auth sudo auth account session
-
- keepdir /var/db/sudo/lectured
- fperms 0700 /var/db/sudo/lectured
- fperms 0711 /var/db/sudo #652958
-
- # Don't install into /run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${ED}"/run
-
- find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
- tmpfiles_process sudo.conf
-
- #652958
- local sudo_db="${EROOT}/var/db/sudo"
- if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
- chmod 711 "${sudo_db}" || die
- fi
-
- if use ldap ; then
- ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/
@ 2022-06-07 22:20 Sam James
0 siblings, 0 replies; 8+ messages in thread
From: Sam James @ 2022-06-07 22:20 UTC (permalink / raw
To: gentoo-commits
commit: d026e6e417699653eeb305f0af3257fd66e599d6
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Jun 7 22:18:00 2022 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Jun 7 22:18:00 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d026e6e4
app-admin/sudo: backport arm64 build fix patch
Closes: https://bugs.gentoo.org/850454
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../sudo/files/sudo-1.9.11-fix-arm64-build.patch | 23 ++++++++++++++++++++++
app-admin/sudo/sudo-1.9.11.ebuild | 4 ++++
2 files changed, 27 insertions(+)
diff --git a/app-admin/sudo/files/sudo-1.9.11-fix-arm64-build.patch b/app-admin/sudo/files/sudo-1.9.11-fix-arm64-build.patch
new file mode 100644
index 000000000000..baf960d49530
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.11-fix-arm64-build.patch
@@ -0,0 +1,23 @@
+https://github.com/sudo-project/sudo/commit/d549adf04bfde7936306203e2e8886ffd93d00ea
+https://bugs.gentoo.org/850454
+
+From: Pierre Bourdon <delroth@gmail.com>
+Date: Tue, 7 Jun 2022 17:14:39 +0200
+Subject: [PATCH] exec_ptrace: fix missing sudo_pt_regs on aarch64
+
+AArch64 already had an existing "user_pt_regs" struct and didn't need a
+struct alias before the renaming to "sudo_pt_regs". Make the code build
+again by adding the now missing alias.
+
+Fixes: 2eb8ff17
+--- a/src/exec_ptrace.h
++++ b/src/exec_ptrace.h
+@@ -76,6 +76,7 @@
+ # define reg_arg4(x) (x).r10
+ #elif defined(__aarch64__)
+ # define SECCOMP_AUDIT_ARCH AUDIT_ARCH_AARCH64
++# define sudo_pt_regs struct user_pt_regs
+ # define reg_syscall(x) (x).regs[8] /* w8 */
+ # define reg_retval(x) (x).regs[0] /* x0 */
+ # define reg_sp(x) (x).sp /* sp */
+
diff --git a/app-admin/sudo/sudo-1.9.11.ebuild b/app-admin/sudo/sudo-1.9.11.ebuild
index dda0650bd5fc..7515b25714d3 100644
--- a/app-admin/sudo/sudo-1.9.11.ebuild
+++ b/app-admin/sudo/sudo-1.9.11.ebuild
@@ -80,6 +80,10 @@ REQUIRED_USE="
MAKEOPTS+=" SAMPLES="
+PATCHES=(
+ "${FILESDIR}"/${P}-fix-arm64-build.patch
+)
+
src_prepare() {
default
elibtoolize
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/
@ 2022-10-28 20:11 Sam James
0 siblings, 0 replies; 8+ messages in thread
From: Sam James @ 2022-10-28 20:11 UTC (permalink / raw
To: gentoo-commits
commit: 73fc86d879db42a9ce5a4ef9b73f088b02551169
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Oct 28 20:11:14 2022 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Oct 28 20:11:14 2022 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=73fc86d8
app-admin/sudo: backport MIPS patch
Closes: https://bugs.gentoo.org/878401
Signed-off-by: Sam James <sam <AT> gentoo.org>
app-admin/sudo/files/sudo-1.9.12-mips-build.patch | 33 +++++++++++++++++++++++
app-admin/sudo/sudo-1.9.12.ebuild | 4 +++
2 files changed, 37 insertions(+)
diff --git a/app-admin/sudo/files/sudo-1.9.12-mips-build.patch b/app-admin/sudo/files/sudo-1.9.12-mips-build.patch
new file mode 100644
index 000000000000..d45393dba443
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.12-mips-build.patch
@@ -0,0 +1,33 @@
+https://github.com/sudo-project/sudo/commit/7944494196d4a9b33e0ae64a7e20f86e19c336d3
+https://bugs.gentoo.org/878401
+
+From 7944494196d4a9b33e0ae64a7e20f86e19c336d3 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 26 Oct 2022 16:35:30 -0600
+Subject: [PATCH] Fix compilation error on Linux/mips.
+
+--- a/src/exec_ptrace.c
++++ b/src/exec_ptrace.c
+@@ -282,16 +282,17 @@ set_sc_arg4(struct sudo_ptrace_regs *regs, unsigned long addr)
+ static bool
+ ptrace_getregs(int pid, struct sudo_ptrace_regs *regs, int compat)
+ {
++ struct iovec iov;
+ debug_decl(ptrace_getregs, SUDO_DEBUG_EXEC);
+
++ iov.iov_base = ®s->u;
++ iov.iov_len = sizeof(regs->u);
++
+ # ifdef __mips__
+ /* PTRACE_GETREGSET has bugs with the MIPS o32 ABI at least. */
+- if (ptrace(PTRACE_GETREGS, pid, NULL, ®s->u) == -1)
++ if (ptrace(PTRACE_GETREGS, pid, NULL, iov.iov_base) == -1)
+ debug_return_bool(false);
+ # else
+- struct iovec iov;
+- iov.iov_base = ®s->u;
+- iov.iov_len = sizeof(regs->u);
+ if (ptrace(PTRACE_GETREGSET, pid, (void *)NT_PRSTATUS, &iov) == -1)
+ debug_return_bool(false);
+ # endif /* __mips__ */
+
diff --git a/app-admin/sudo/sudo-1.9.12.ebuild b/app-admin/sudo/sudo-1.9.12.ebuild
index 046d001b4139..d3e78ea71235 100644
--- a/app-admin/sudo/sudo-1.9.12.ebuild
+++ b/app-admin/sudo/sudo-1.9.12.ebuild
@@ -82,6 +82,10 @@ REQUIRED_USE="
MAKEOPTS+=" SAMPLES="
+PATCHES=(
+ "${FILESDIR}"/${P}-mips-build.patch
+)
+
src_prepare() {
default
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/
@ 2023-02-15 4:05 Sam James
0 siblings, 0 replies; 8+ messages in thread
From: Sam James @ 2023-02-15 4:05 UTC (permalink / raw
To: gentoo-commits
commit: 6f0d46367c6c163fa0d560ef0aed8cb093c3f3f9
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Wed Feb 15 03:40:29 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Wed Feb 15 03:40:44 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6f0d4636
app-admin/sudo: fix build w/ gcc 13
Signed-off-by: Sam James <sam <AT> gentoo.org>
app-admin/sudo/files/sudo-1.9.13-gcc-13.patch | 53 ++++++++++++++++++++++
.../files/sudo-1.9.13-missing-bracket-as-if.patch | 40 ++++++++++++++++
app-admin/sudo/sudo-1.9.13.ebuild | 5 ++
3 files changed, 98 insertions(+)
diff --git a/app-admin/sudo/files/sudo-1.9.13-gcc-13.patch b/app-admin/sudo/files/sudo-1.9.13-gcc-13.patch
new file mode 100644
index 000000000000..4ebdce7e9f67
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.13-gcc-13.patch
@@ -0,0 +1,53 @@
+https://github.com/sudo-project/sudo/issues/239
+https://github.com/sudo-project/sudo/pull/240
+
+From 20d1348354ddbfb1b1f95522f81d73ec00988358 Mon Sep 17 00:00:00 2001
+From: Sam James <sam@gentoo.org>
+Date: Wed, 15 Feb 2023 03:20:36 +0000
+Subject: [PATCH] sudo_fatal: Fix build where compiler recognises [[noreturn]]
+ attribute (C23)
+
+If the compiler supports [[noreturn]] as a attribute as in C23,
+then we define sudo_noreturn to be it. When that's the case, we must place
+it at the beginning of the declaration, before any other *extension*
+attributes (__attribute(...)).
+
+sudo_dso_public is always an extension attribute, while sudo_noreturn only
+might be, so put it first.
+
+This only shows up with GCC 13 so far (see the linked GCC bug (notabug)
+for a bit more exploration). Clang 16 does support the attribute but doesn't let
+you sue it for earlier language versions (need to pass explicit -std=c2x,
+unlike with GCC here).
+
+This is essentially a followup to e707ffe58b3ccfe5c72f54c38eac1d7069d5021e.
+
+Tested with GCC 13.0.1 20230212 (unreleased), GCC 12.2.1 20230211,
+Clang 16.0.0_rc2, and Clang 15.0.7.
+
+Bug: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=108796
+Closes: https://github.com/sudo-project/sudo/issues/239
+Fixes: e707ffe58b3ccfe5c72f54c38eac1d7069d5021e
+Fixes: 16ae61dcd7d3cd8bf6eb10a22fa742d4505da4e9
+--- a/include/sudo_fatal.h
++++ b/include/sudo_fatal.h
+@@ -171,12 +171,12 @@ sudo_dso_public int sudo_fatal_callback_deregister_v1(sudo_fatal_callback_t fun
+ sudo_dso_public int sudo_fatal_callback_register_v1(sudo_fatal_callback_t func);
+ sudo_dso_public char *sudo_warn_gettext_v1(const char *domainname, const char *msgid) sudo_attr_fmt_arg(2);
+ sudo_dso_public void sudo_warn_set_locale_func_v1(sudo_warn_setlocale_t func);
+-sudo_dso_public sudo_noreturn void sudo_fatal_nodebug_v1(const char *fmt, ...) sudo_printf0like(1, 2);
+-sudo_dso_public sudo_noreturn void sudo_fatalx_nodebug_v1(const char *fmt, ...) sudo_printflike(1, 2);
+-sudo_dso_public sudo_noreturn void sudo_gai_fatal_nodebug_v1(int errnum, const char *fmt, ...) sudo_printflike(2, 3);
+-sudo_dso_public sudo_noreturn void sudo_vfatal_nodebug_v1(const char *fmt, va_list ap) sudo_printf0like(1, 0);
+-sudo_dso_public sudo_noreturn void sudo_vfatalx_nodebug_v1(const char *fmt, va_list ap) sudo_printflike(1, 0);
+-sudo_dso_public sudo_noreturn void sudo_gai_vfatal_nodebug_v1(int errnum, const char *fmt, va_list ap) sudo_printflike(2, 0);
++sudo_noreturn sudo_dso_public void sudo_fatal_nodebug_v1(const char *fmt, ...) sudo_printf0like(1, 2);
++sudo_noreturn sudo_dso_public void sudo_fatalx_nodebug_v1(const char *fmt, ...) sudo_printflike(1, 2);
++sudo_noreturn sudo_dso_public void sudo_gai_fatal_nodebug_v1(int errnum, const char *fmt, ...) sudo_printflike(2, 3);
++sudo_noreturn sudo_dso_public void sudo_vfatal_nodebug_v1(const char *fmt, va_list ap) sudo_printf0like(1, 0);
++sudo_noreturn sudo_dso_public void sudo_vfatalx_nodebug_v1(const char *fmt, va_list ap) sudo_printflike(1, 0);
++sudo_noreturn sudo_dso_public void sudo_gai_vfatal_nodebug_v1(int errnum, const char *fmt, va_list ap) sudo_printflike(2, 0);
+ sudo_dso_public void sudo_warn_nodebug_v1(const char *fmt, ...) sudo_printf0like(1, 2);
+ sudo_dso_public void sudo_warnx_nodebug_v1(const char *fmt, ...) sudo_printflike(1, 2);
+ sudo_dso_public void sudo_gai_warn_nodebug_v1(int errnum, const char *fmt, ...) sudo_printflike(2, 3);
+
diff --git a/app-admin/sudo/files/sudo-1.9.13-missing-bracket-as-if.patch b/app-admin/sudo/files/sudo-1.9.13-missing-bracket-as-if.patch
new file mode 100644
index 000000000000..e341e93a99bc
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.13-missing-bracket-as-if.patch
@@ -0,0 +1,40 @@
+https://github.com/sudo-project/sudo/commit/defec5d46eec7345b62060049f72215ffd7f3e7e
+
+From defec5d46eec7345b62060049f72215ffd7f3e7e Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Tue, 14 Feb 2023 14:24:28 -0700
+Subject: [PATCH] Add missing '[' to AS_IF() call. Fixes GitHub issue #238.
+
+--- a/configure
++++ b/configure
+@@ -24525,7 +24525,8 @@ fi
+
+ if test X"$with_noexec" != X"no"
+ then :
+- # Check for non-standard exec functions
++
++ # Check for non-standard exec functions
+ ac_fn_c_check_func "$LINENO" "exect" "ac_cv_func_exect"
+ if test "x$ac_cv_func_exect" = xyes
+ then :
+@@ -24564,7 +24565,7 @@ fi
+
+
+ fi
+-]
++
+ fi
+
+ cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+--- a/configure.ac
++++ b/configure.ac
+@@ -3022,7 +3022,7 @@ AC_CHECK_FUNCS([setpassent setgroupent])
+ dnl
+ dnl Function checks for sudo_noexec
+ dnl
+-AS_IF([test X"$with_noexec" != X"no"],
++AS_IF([test X"$with_noexec" != X"no"], [
+ # Check for non-standard exec functions
+ AC_CHECK_FUNCS([exect execvP execvpe])
+ # Check for posix_spawn, and posix_spawnp
+
diff --git a/app-admin/sudo/sudo-1.9.13.ebuild b/app-admin/sudo/sudo-1.9.13.ebuild
index 2d77e6863bd9..a4d75f41c04b 100644
--- a/app-admin/sudo/sudo-1.9.13.ebuild
+++ b/app-admin/sudo/sudo-1.9.13.ebuild
@@ -86,6 +86,11 @@ REQUIRED_USE="
MAKEOPTS+=" SAMPLES="
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.9.13-missing-bracket-as-if.patch
+ "${FILESDIR}"/${PN}-1.9.13-gcc-13.patch
+)
+
src_prepare() {
default
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/
@ 2023-04-28 6:05 Sam James
0 siblings, 0 replies; 8+ messages in thread
From: Sam James @ 2023-04-28 6:05 UTC (permalink / raw
To: gentoo-commits
commit: e18037cbb2c011565992f5cc5affa0c931651a41
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Apr 28 05:42:07 2023 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Apr 28 06:04:08 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e18037cb
app-admin/sudo: fix configure w/ clang 16
Signed-off-by: Sam James <sam <AT> gentoo.org>
.../files/sudo-1.9.13_p3-configure-clang16.patch | 105 ++++++++
app-admin/sudo/sudo-1.9.13_p3-r1.ebuild | 290 +++++++++++++++++++++
2 files changed, 395 insertions(+)
diff --git a/app-admin/sudo/files/sudo-1.9.13_p3-configure-clang16.patch b/app-admin/sudo/files/sudo-1.9.13_p3-configure-clang16.patch
new file mode 100644
index 000000000000..a9b9434c2b01
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.13_p3-configure-clang16.patch
@@ -0,0 +1,105 @@
+ttps://www.sudo.ws/pipermail/sudo-workers/2023-April/001387.html
+https://github.com/sudo-project/sudo/commit/b83140e0f18fb27d310a4839a14f5c3febd2770b
+https://github.com/sudo-project/sudo/commit/075ee0f9dc234f9a7e680b16304809e5546965d5
+
+From b83140e0f18fb27d310a4839a14f5c3febd2770b Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 26 Apr 2023 11:10:46 -0600
+Subject: [PATCH] Use ldap_msgfree() instead of ldap_init() for the lber.h
+ test. The ldap_init() function is marked as deprecated and not defined by
+ default on some systems. This can cause an error for compilers that do not
+ support implicit function declarations. From Florian Weimer.
+
+--- a/configure
++++ b/configure
+@@ -31515,7 +31515,7 @@ else case e in #(
+ int
+ main (void)
+ {
+-(void)ldap_init(0, 0)
++return ldap_msgfree(NULL)
+ ;
+ return 0;
+ }
+--- a/m4/ldap.m4
++++ b/m4/ldap.m4
+@@ -52,7 +52,7 @@ AC_DEFUN([SUDO_CHECK_LDAP], [
+ #include <lber.h>])
+ AC_CACHE_CHECK([whether lber.h is needed when including ldap.h], [sudo_cv_header_lber_h], [
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
+-#include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [
++#include <ldap.h>]], [[return ldap_msgfree(NULL)]])], [
+ # No need to explicitly include lber.h when including ldap.h.
+ sudo_cv_header_lber_h=no
+ ], [
+
+From 075ee0f9dc234f9a7e680b16304809e5546965d5 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Wed, 26 Apr 2023 12:44:10 -0600
+Subject: [PATCH] Add missing stdio.h include for the _FORTIFY_SOURCE=2 check.
+ Implementations of _FORTIFY_SOURCE require the header file to be included.
+ Also remove the useless test of an empty program with _FORTIFY_SOURCE
+ defined. Pointed out by Florian Weimer.
+
+--- a/configure
++++ b/configure
+@@ -34207,33 +34207,11 @@ else case e in #(
+ e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+ /* end confdefs.h. */
+
+-
+-int
+-main (void)
+-{
+-char buf[4]; (void)sprintf(buf, "%s", "foo");
+-
+- ;
+- return 0;
+-}
+-_ACEOF
+-if ac_fn_c_try_link "$LINENO"
+-then :
+- sudo_cv_use_fortify_source=yes
+-else case e in #(
+- e) sudo_cv_use_fortify_source=no
+- ;;
+-esac
+-fi
+-rm -f core conftest.err conftest.$ac_objext conftest.beam \
+- conftest$ac_exeext conftest.$ac_ext
+-
+- cat confdefs.h - <<_ACEOF >conftest.$ac_ext
+-/* end confdefs.h. */
+-
++ #include <stdio.h>
+ int
+ main (void)
+ {
++char buf[4]; sprintf(buf, "%s", "foo"); return buf[0];
+
+ ;
+ return 0;
+--- a/m4/hardening.m4
++++ b/m4/hardening.m4
+@@ -10,18 +10,13 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
+ [sudo_cv_use_fortify_source],
+ [AC_LINK_IFELSE([
+ AC_LANG_PROGRAM(
+- [[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]]
++ [[#include <stdio.h>]],
++ [[char buf[4]; sprintf(buf, "%s", "foo"); return buf[0];]]
+ )],
+ [sudo_cv_use_fortify_source=yes],
+ [sudo_cv_use_fortify_source=no]
+ )
+ ]
+- [AC_LINK_IFELSE(
+- [AC_LANG_PROGRAM([[]], [[]])],
+- [sudo_cv_use_fortify_source=yes],
+- [sudo_cv_use_fortify_source=no]
+- )
+- ]
+ )
+ if test "$sudo_cv_use_fortify_source" != yes; then
+ CPPFLAGS="$O_CPPFLAGS"
+
diff --git a/app-admin/sudo/sudo-1.9.13_p3-r1.ebuild b/app-admin/sudo/sudo-1.9.13_p3-r1.ebuild
new file mode 100644
index 000000000000..d0d8ed1de45f
--- /dev/null
+++ b/app-admin/sudo/sudo-1.9.13_p3-r1.ebuild
@@ -0,0 +1,290 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit pam libtool tmpfiles toolchain-funcs
+
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="https://www.sudo.ws/"
+
+if [[ ${PV} == 9999 ]] ; then
+ inherit mercurial
+ EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+ VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sudo.ws.asc
+ inherit verify-sig
+
+ uri_prefix=
+ case ${P} in
+ *_beta*|*_rc*) uri_prefix=beta/ ;;
+ esac
+
+ SRC_URI="
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+ verify-sig? (
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~sparc-solaris"
+ fi
+
+ BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-sudo )"
+fi
+
+S="${WORKDIR}/${MY_P}"
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="ISC BSD"
+SLOT="0"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+
+DEPEND="
+ sys-libs/zlib:=
+ virtual/libcrypt:=
+ gcrypt? ( dev-libs/libgcrypt:= )
+ ldap? (
+ >=net-nds/openldap-2.1.30-r1:=
+ sasl? (
+ dev-libs/cyrus-sasl
+ net-nds/openldap:=[sasl]
+ )
+ )
+ pam? ( sys-libs/pam )
+ sasl? ( dev-libs/cyrus-sasl )
+ selinux? ( sys-libs/libselinux )
+ skey? ( >=sys-auth/skey-1.1.5-r1 )
+ ssl? ( dev-libs/openssl:0= )
+ sssd? ( sys-auth/sssd[sudo] )
+"
+RDEPEND="
+ ${DEPEND}
+ >=app-misc/editor-wrapper-3
+ virtual/editor
+ ldap? ( dev-lang/perl )
+ pam? ( sys-auth/pambase )
+ selinux? ( sec-policy/selinux-sudo )
+ sendmail? ( virtual/mta )
+"
+BDEPEND+="
+ sys-devel/bison
+ virtual/pkgconfig
+"
+
+REQUIRED_USE="
+ ?? ( pam skey )
+ ?? ( gcrypt ssl )
+"
+
+MAKEOPTS+=" SAMPLES="
+
+PATCHES=(
+ "${FILESDIR}"/${PN}-1.9.13_p3-configure-clang16.patch
+)
+
+src_prepare() {
+ default
+
+ elibtoolize
+}
+
+set_secure_path() {
+ # First extract the default ROOTPATH from build env
+ SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+ case "${SECURE_PATH}" in
+ */usr/sbin*)
+ ;;
+ *)
+ SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+ ;;
+ esac
+
+ if [[ -z ${SECURE_PATH} ]] ; then
+ ewarn " Failed to detect SECURE_PATH, please report this"
+ fi
+
+ # Then remove duplicate path entries
+ cleanpath() {
+ local newpath thisp IFS=:
+ for thisp in $1 ; do
+ if [[ :${newpath}: != *:${thisp}:* ]] ; then
+ newpath+=:${thisp}
+ else
+ einfo " Duplicate entry ${thisp} removed..."
+ fi
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+
+ # Finally, strip gcc paths, bug #136027
+ rmpath() {
+ local e newpath thisp IFS=:
+ for thisp in ${SECURE_PATH} ; do
+ for e ; do
+ [[ ${thisp} == ${e} ]] && continue 2 ;
+ done
+ newpath+=:${thisp}
+ done
+ SECURE_PATH=${newpath#:}
+ }
+ rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
+}
+
+src_configure() {
+ local SECURE_PATH
+
+ set_secure_path
+
+ # bug #767712
+ tc-export PKG_CONFIG
+
+ # - audit: somebody got to explain me how I can test this before I
+ # enable it.. - Diego
+ # - plugindir: autoconf code is crappy and does not delay evaluation
+ # until `make` time, so we have to use a full path here rather than
+ # basing off other values.
+ local myeconfargs=(
+ # We set all of the relevant options by ourselves (patched
+ # into the toolchain) and setting these in the build system
+ # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+ # (it'll downgrade to =2). So, this has no functional effect on
+ # the hardening for users. It's safe.
+ --disable-hardening
+
+ # requires some python eclass
+ --disable-python
+ --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+ --enable-zlib=system
+ --with-editor="${EPREFIX}"/usr/libexec/editor
+ --with-env-editor
+ --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
+ --with-rundir="${EPREFIX}"/run/sudo
+ --with-vardir="${EPREFIX}"/var/db/sudo
+ --without-linux-audit
+ --without-opie
+ $(use_enable gcrypt)
+ $(use_enable nls)
+ $(use_enable sasl)
+ $(use_enable ssl openssl)
+ $(use_with ldap)
+ $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
+ $(use_with offensive insults)
+ $(use_with offensive all-insults)
+ $(use_with pam)
+ $(use_with pam pam-login)
+ $(use_with secure-path secure-path "${SECURE_PATH}")
+ $(use_with selinux)
+ $(use_with sendmail)
+ $(use_with skey)
+ $(use_with sssd)
+ )
+
+ econf "${myeconfargs[@]}"
+}
+
+src_install() {
+ default
+
+ if use ldap ; then
+ dodoc README.LDAP.md
+
+ cat <<-EOF > "${T}"/ldap.conf.sudo
+ # See ldap.conf(5) and README.LDAP.md for details
+ # This file should only be readable by root
+
+ # supported directives: host, port, ssl, ldap_version
+ # uri, binddn, bindpw, sudoers_base, sudoers_debug
+ # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
+ EOF
+
+ if use sasl ; then
+ cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+ # SASL directives: use_sasl, sasl_mech, sasl_auth_id
+ # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+ EOF
+ fi
+
+ insinto /etc
+ doins "${T}"/ldap.conf.sudo
+ fperms 0440 /etc/ldap.conf.sudo
+
+ insinto /etc/openldap/schema
+ newins docs/schema.OpenLDAP sudo.schema
+ fi
+
+ if use pam ; then
+ pamd_mimic system-auth sudo auth account session
+ pamd_mimic system-auth sudo-i auth account session
+ fi
+
+ keepdir /var/db/sudo/lectured
+ fperms 0700 /var/db/sudo/lectured
+ # bug #652958
+ fperms 0711 /var/db/sudo
+
+ # Don't install into /run as that is a tmpfs most of the time
+ # (bug #504854)
+ rm -rf "${ED}"/run || die
+
+ # bug #697812
+ find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+ tmpfiles_process sudo.conf
+
+ # bug #652958
+ local sudo_db="${EROOT}/var/db/sudo"
+ if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
+ chmod 711 "${sudo_db}" || die
+ fi
+
+ if use ldap ; then
+ ewarn
+ ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
+ ewarn
+ if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
+ ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+ ewarn "configured in ${ROOT}/etc/nsswitch.conf."
+ ewarn
+ ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
+ ewarn " sudoers: ldap files"
+ ewarn
+ fi
+ fi
+ if use prefix ; then
+ ewarn
+ ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
+ ewarn "with root privileges, as follows:"
+ ewarn
+ ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
+ ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
+ ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
+ ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
+ ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
+ ewarn
+ fi
+
+ elog "To use the -A (askpass) option, you need to install a compatible"
+ elog "password program from the following list. Starred packages will"
+ elog "automatically register for the use with sudo (but will not force"
+ elog "the -A option):"
+ elog ""
+ elog " [*] net-misc/ssh-askpass-fullscreen"
+ elog " net-misc/x11-ssh-askpass"
+ elog ""
+ elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+ elog "variable to the program you want to use."
+}
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/
@ 2025-02-23 1:45 Sam James
0 siblings, 0 replies; 8+ messages in thread
From: Sam James @ 2025-02-23 1:45 UTC (permalink / raw
To: gentoo-commits
commit: d37009b93e42e283f292dc6ec79b5b60b76b1a5c
Author: Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Sun Feb 23 00:50:04 2025 +0000
Commit: Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sun Feb 23 01:31:59 2025 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d37009b9
app-admin/sudo: drop 1.9.15_p5-r1, 1.9.16-r2, 1.9.16_p1-r1
Signed-off-by: Sam James <sam <AT> gentoo.org>
app-admin/sudo/Manifest | 6 -
.../sudo-1.9.16-allow-disabling-secure-path.patch | 54 ----
app-admin/sudo/sudo-1.9.15_p5-r1.ebuild | 289 --------------------
app-admin/sudo/sudo-1.9.16-r2.ebuild | 296 ---------------------
app-admin/sudo/sudo-1.9.16_p1-r1.ebuild | 294 --------------------
5 files changed, 939 deletions(-)
diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index 746aebd541c7..9997003e13b0 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,8 +1,2 @@
-DIST sudo-1.9.15p5.tar.gz 5306611 BLAKE2B 73ee598c2a2848d5be24f97492b13eba2f326c514799220e43a1aeafc6692224a7555fb7cc0a96a2720751d3e4d98e752804db589ac3c1476f24e71f5b9bc720 SHA512 ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a
-DIST sudo-1.9.15p5.tar.gz.sig 566 BLAKE2B ddd8fed1b3721aafdb32b762834168063c3f0f003ef5d83f1883615320da6fe89b08d72c8e893c8b2bf9fd892a40e47cc77d72672e43b5a24db50e7194d9bc4c SHA512 97480a3d27b546a93e997c3a1e8169904a7625ab8fa6198d0b7e1d2d040f55b2d58462cd08e5cc97c2f1c817b12343e35cdd7db207aee42785f2b95b17c600b0
-DIST sudo-1.9.16.tar.gz 5392026 BLAKE2B 19daa789af3ca2c4832950f0dd6f26a97285fdc155f0d7c18ec1f1accafce9b86f2f5730d3bb0b8e7717c0c55f4079928e03acb3974cb2652c58d4bcb2f74a12 SHA512 1b0254eb5b75422bffd31a2ae8c56cb4e8e2ecc08e2fa687eddb638d4f2de2585fa7621c868c03423e9d636bfb5679a3758d504155dbdfd3eebfbdcbd8b58f7c
-DIST sudo-1.9.16.tar.gz.sig 566 BLAKE2B 9eb9fd2db0de5b9ce965c2109a9722e0b5f0793b7c9003123b1540d7cb5b8178043221296fd51c7f0b24ce1b1cda9f196a6d50083da172ca2afcb8f130d8eae1 SHA512 edf066f9ffdf2653468f8b45866a65214f0dff0164318d5f6bd9252f6211e82522161b1b9621798fbc9112253e6940d7137d18e8b42e8c6e5ba52ccac64d99cf
-DIST sudo-1.9.16p1.tar.gz 5396038 BLAKE2B 7f973510658e91af54121d8c4c634b26231ef270abac50f658c9ad8a446a7dbbc44cb878561fb8da51e4ec15ebc8873fdaed05be142907f96964ff42c7e4f896 SHA512 3239d16513c431383b6d54cf40690a9b8fcf905d9b8f5a2085679dd5daeaacbd7efb153b41fd672fc634277c3203aaa1dc18e6a6c01799ebc9948763ec93a038
-DIST sudo-1.9.16p1.tar.gz.sig 566 BLAKE2B 0f68bb4a653cfaacf05d6c148f690ae0022035090e6e60df7efde6b25193ac46d12905ca898e5aadb8339ca3f08e27a4408edeb75f26f7e483f136026835aa24 SHA512 96cdd7f646d2fe7eeefce7710ba421be12a9bfd6811284ba8ccb3f7288b328531bbd7215cf0182c13670f2ec7c0ee25dfd6396214ddd61ee4ee153fec19bef7e
DIST sudo-1.9.16p2.tar.gz 5398419 BLAKE2B ef9f1c2cd4044454a808d1dff5f865355e1bd061d1b5c93a005207e28e9b9df7c267cf01358ce60dd2c98f6844b51dab00eac4e7a08bade1d621235c3a4774bf SHA512 1e2ea762671890a03b0ea4b95b3849f2d3a4c301432db8767433e9d80c517efd8b7a68e0bbce1b178aff5857907600f1f5e0d889779cb27e38c2f602395f6f06
DIST sudo-1.9.16p2.tar.gz.sig 566 BLAKE2B 90f90658a7d6ec3b32f6a726a2cd28e156826a65749a88a2a29d970e97804d2d75de856bc85c9a459233b59e35564c5fbf93aff53ffe42d17d0e94dd23724acd SHA512 7f0e3269c9befada535590b2cfc36f96cd70831b5c030df5b3bf8c7cb3eff296d22193429f940db4a0df849b4d8080e4006086c49869b4bbae663836b2632b49
diff --git a/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch b/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch
deleted file mode 100644
index 8fda41a2b73f..000000000000
--- a/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-https://github.com/sudo-project/sudo/commit/131e7e2de02ab53cfefefe93978d7fee4cb8142d
-
-From 131e7e2de02ab53cfefefe93978d7fee4cb8142d Mon Sep 17 00:00:00 2001
-From: Andy Fiddaman <illumos@fiddaman.net>
-Date: Tue, 17 Sep 2024 12:49:13 +0000
-Subject: [PATCH] Allow --secure-path-value=no
-
-This adds support for --with-secure-path-value=no to allow packagers
-to ship the sudoers configuration file with the secure path
-line commented out if required.
---- a/configure.ac
-+++ b/configure.ac
-@@ -177,6 +177,7 @@ AC_SUBST([sssd_lib])
- AC_SUBST([nsswitch_conf])
- AC_SUBST([netsvc_conf])
- AC_SUBST([secure_path])
-+AC_SUBST([secure_path_config])
- AC_SUBST([secure_path_status])
- AC_SUBST([editor])
- AC_SUBST([pam_session])
-@@ -230,6 +231,7 @@ sesh_file="$libexecdir/sudo/sesh"
- visudo="$sbindir/visudo"
- nsswitch_conf=/etc/nsswitch.conf
- secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
-+secure_path_config=
- secure_path_status="disabled"
- pam_session=on
- pam_login_service=sudo
-@@ -1068,9 +1070,11 @@ AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path t
- test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
- SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
-
--AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file])],
-+AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file, or "no" to comment out by default])],
- [case $with_secure_path_value in
-- yes|no) AC_MSG_ERROR([must give --secure-path-value an argument.])
-+ yes) AC_MSG_ERROR([must give --with-secure-path-value an argument.])
-+ ;;
-+ no) secure_path_config="# "
- ;;
- *) secure_path="$with_secure_path_value"
- ;;
---- a/plugins/sudoers/sudoers.in
-+++ b/plugins/sudoers/sudoers.in
-@@ -48,7 +48,7 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
- ## Use a hard-coded PATH instead of the user's to find commands.
- ## This also helps prevent poorly written scripts from running
- ## artbitrary commands under sudo.
--Defaults secure_path="@secure_path@"
-+@secure_path_config@Defaults secure_path="@secure_path@"
- ##
- ## You may wish to keep some of the following environment variables
- ## when running commands via sudo.
-
diff --git a/app-admin/sudo/sudo-1.9.15_p5-r1.ebuild b/app-admin/sudo/sudo-1.9.15_p5-r1.ebuild
deleted file mode 100644
index 918c0435412a..000000000000
--- a/app-admin/sudo/sudo-1.9.15_p5-r1.ebuild
+++ /dev/null
@@ -1,289 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit flag-o-matic pam libtool tmpfiles toolchain-funcs
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-
-if [[ ${PV} == 9999 ]] ; then
- inherit mercurial
- EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
- VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
- inherit verify-sig
-
- uri_prefix=
- case ${P} in
- *_beta*|*_rc*) uri_prefix=beta/ ;;
- esac
-
- SRC_URI="
- https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
- verify-sig? (
- https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
- )
- "
-
- if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha amd64 arm arm64 hppa ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
- fi
-
- BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
-fi
-
-S="${WORKDIR}/${MY_P}"
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
- sys-libs/zlib:=
- virtual/libcrypt:=
- gcrypt? ( dev-libs/libgcrypt:= )
- ldap? (
- >=net-nds/openldap-2.1.30-r1:=
- sasl? (
- dev-libs/cyrus-sasl
- net-nds/openldap:=[sasl]
- )
- )
- pam? ( sys-libs/pam )
- sasl? ( dev-libs/cyrus-sasl )
- selinux? ( sys-libs/libselinux )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- ssl? ( dev-libs/openssl:= )
- sssd? ( sys-auth/sssd[sudo(+)] )
-"
-RDEPEND="
- ${DEPEND}
- >=app-misc/editor-wrapper-3
- virtual/editor
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- selinux? ( sec-policy/selinux-sudo )
- sendmail? ( virtual/mta )
-"
-BDEPEND+="
- app-alternatives/yacc
- virtual/pkgconfig
-"
-
-REQUIRED_USE="
- ?? ( pam skey )
- ?? ( gcrypt ssl )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
- default
-
- elibtoolize
-}
-
-set_secure_path() {
- # First extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
-
- case "${SECURE_PATH}" in
- */usr/sbin*)
- ;;
- *)
- SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
-
- if [[ -z ${SECURE_PATH} ]] ; then
- ewarn " Failed to detect SECURE_PATH, please report this"
- fi
-
- # Then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:${thisp}
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- SECURE_PATH=${newpath#:}
- }
- cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
- # Finally, strip gcc paths, bug #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${SECURE_PATH} ; do
- for e ; do
- [[ ${thisp} == ${e} ]] && continue 2 ;
- done
- newpath+=:${thisp}
- done
- SECURE_PATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-}
-
-src_configure() {
- local SECURE_PATH
-
- set_secure_path
-
- # bug #767712
- tc-export PKG_CONFIG
-
- # https://github.com/sudo-project/sudo/issues/420
- append-cflags -std=gnu17
-
- # - audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # - plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- local myeconfargs=(
- # We set all of the relevant options by ourselves (patched
- # into the toolchain) and setting these in the build system
- # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
- # (it'll downgrade to =2). So, this has no functional effect on
- # the hardening for users. It's safe.
- --disable-hardening
-
- # requires some python eclass
- --disable-python
- --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
- --enable-zlib=system
- --with-editor="${EPREFIX}"/usr/libexec/editor
- --with-env-editor
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
- --with-rundir="${EPREFIX}"/run/sudo
- --with-vardir="${EPREFIX}"/var/db/sudo
- --without-linux-audit
- --without-opie
- $(use_enable gcrypt)
- $(use_enable nls)
- $(use_enable sasl)
- $(use_enable ssl openssl)
- $(use_with ldap)
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
- $(use_with offensive insults)
- $(use_with offensive all-insults)
- $(use_with pam)
- $(use_with pam pam-login)
- "$(use_with secure-path secure-path "${SECURE_PATH}")"
- $(use_with selinux)
- $(use_with sendmail)
- $(use_with skey)
- $(use_with sssd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP.md
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP.md for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
- EOF
-
- if use sasl ; then
- cat <<-EOF >> "${T}"/ldap.conf.sudo
-
- # SASL directives: use_sasl, sasl_mech, sasl_auth_id
- # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
- EOF
- fi
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
-
- insinto /etc/openldap/schema
- newins docs/schema.OpenLDAP sudo.schema
- fi
-
- if use pam ; then
- pamd_mimic system-auth sudo auth account session
- pamd_mimic system-auth sudo-i auth account session
- fi
-
- keepdir /var/db/sudo/lectured
- fperms 0700 /var/db/sudo/lectured
- # bug #652958
- fperms 0711 /var/db/sudo
-
- # Don't install into /run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${ED}"/run || die
-
- # bug #697812
- find "${ED}" -type f -name "*.la" -delete || die
-}
-
-pkg_postinst() {
- tmpfiles_process sudo.conf
-
- # bug #652958
- local sudo_db="${EROOT}/var/db/sudo"
- if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
- chmod 711 "${sudo_db}" || die
- fi
-
- if use ldap ; then
- ewarn
- ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in ${ROOT}/etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-1.9.16-r2.ebuild b/app-admin/sudo/sudo-1.9.16-r2.ebuild
deleted file mode 100644
index 2403907f5ce8..000000000000
--- a/app-admin/sudo/sudo-1.9.16-r2.ebuild
+++ /dev/null
@@ -1,296 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit autotools flag-o-matic pam tmpfiles toolchain-funcs
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-
-if [[ ${PV} == 9999 ]] ; then
- inherit mercurial
- EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
- VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
- inherit verify-sig
-
- uri_prefix=
- case ${P} in
- *_beta*|*_rc*) uri_prefix=beta/ ;;
- esac
-
- SRC_URI="
- https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
- verify-sig? (
- https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
- )
- "
-
- if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
- fi
-
- BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
-fi
-
-S="${WORKDIR}/${MY_P}"
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
- sys-libs/zlib:=
- virtual/libcrypt:=
- gcrypt? ( dev-libs/libgcrypt:= )
- ldap? (
- >=net-nds/openldap-2.1.30-r1:=
- sasl? (
- dev-libs/cyrus-sasl
- net-nds/openldap:=[sasl]
- )
- )
- pam? ( sys-libs/pam )
- sasl? ( dev-libs/cyrus-sasl )
- selinux? ( sys-libs/libselinux )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- ssl? ( dev-libs/openssl:= )
- sssd? ( sys-auth/sssd[sudo(+)] )
-"
-RDEPEND="
- ${DEPEND}
- >=app-misc/editor-wrapper-3
- virtual/editor
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- selinux? ( sec-policy/selinux-sudo )
- sendmail? ( virtual/mta )
-"
-BDEPEND+="
- app-alternatives/yacc
- virtual/pkgconfig
-"
-
-REQUIRED_USE="
- ?? ( pam skey )
- ?? ( gcrypt ssl )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-PATCHES=(
- "${FILESDIR}"/${PN}-1.9.16-allow-disabling-secure-path.patch
-)
-
-src_prepare() {
- default
-
- # eautoreconf temporarily for allow-disabling-secure-path patch
- # in 1.9.16; revert to elibtoolize once that is gone.
- eautoreconf
-}
-
-set_secure_path() {
- # First extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
-
- case "${SECURE_PATH}" in
- */usr/sbin*)
- ;;
- *)
- SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
-
- if [[ -z ${SECURE_PATH} ]] ; then
- ewarn " Failed to detect SECURE_PATH, please report this"
- fi
-
- # Then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:${thisp}
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- SECURE_PATH=${newpath#:}
- }
- cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
- # Finally, strip gcc paths, bug #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${SECURE_PATH} ; do
- for e ; do
- [[ ${thisp} == ${e} ]] && continue 2 ;
- done
- newpath+=:${thisp}
- done
- SECURE_PATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-}
-
-src_configure() {
- local SECURE_PATH
-
- set_secure_path
-
- # bug #767712
- tc-export PKG_CONFIG
-
- # https://github.com/sudo-project/sudo/issues/420
- append-cflags -std=gnu17
-
- # - audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # - plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- local myeconfargs=(
- # We set all of the relevant options by ourselves (patched
- # into the toolchain) and setting these in the build system
- # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
- # (it'll downgrade to =2). So, this has no functional effect on
- # the hardening for users. It's safe.
- --disable-hardening
-
- # requires some python eclass
- --disable-python
- --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
- --enable-zlib=system
- --with-editor="${EPREFIX}"/usr/libexec/editor
- --with-env-editor
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
- --with-rundir="${EPREFIX}"/run/sudo
- --with-vardir="${EPREFIX}"/var/db/sudo
- --without-linux-audit
- --without-opie
- $(use_enable gcrypt)
- $(use_enable nls)
- $(use_enable sasl)
- $(use_enable ssl openssl)
- $(use_with ldap)
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
- $(use_with offensive insults)
- $(use_with offensive all-insults)
- $(use_with pam)
- $(use_with pam pam-login)
- $(use_with secure-path)
- "$(use_with secure-path secure-path-value "${SECURE_PATH}")"
- $(use_with selinux)
- $(use_with sendmail)
- $(use_with skey)
- $(use_with sssd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP.md
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP.md for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
- EOF
-
- if use sasl ; then
- cat <<-EOF >> "${T}"/ldap.conf.sudo
-
- # SASL directives: use_sasl, sasl_mech, sasl_auth_id
- # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
- EOF
- fi
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
-
- insinto /etc/openldap/schema
- newins docs/schema.OpenLDAP sudo.schema
- fi
-
- if use pam ; then
- pamd_mimic system-auth sudo auth account session
- pamd_mimic system-auth sudo-i auth account session
- fi
-
- keepdir /var/db/sudo/lectured
- fperms 0700 /var/db/sudo/lectured
- # bug #652958
- fperms 0711 /var/db/sudo
-
- # Don't install into /run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${ED}"/run || die
-
- # bug #697812
- find "${ED}" -type f -name "*.la" -delete || die
-}
-
-pkg_postinst() {
- tmpfiles_process sudo.conf
-
- # bug #652958
- local sudo_db="${EROOT}/var/db/sudo"
- if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
- chmod 711 "${sudo_db}" || die
- fi
-
- if use ldap ; then
- ewarn
- ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in ${ROOT}/etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-1.9.16_p1-r1.ebuild b/app-admin/sudo/sudo-1.9.16_p1-r1.ebuild
deleted file mode 100644
index a4c126a9a273..000000000000
--- a/app-admin/sudo/sudo-1.9.16_p1-r1.ebuild
+++ /dev/null
@@ -1,294 +0,0 @@
-# Copyright 1999-2024 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit flag-o-matic pam tmpfiles toolchain-funcs
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-
-if [[ ${PV} == 9999 ]] ; then
- inherit autotools mercurial
- EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
- VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
- inherit libtool verify-sig
-
- uri_prefix=
- case ${P} in
- *_beta*|*_rc*) uri_prefix=beta/ ;;
- esac
-
- SRC_URI="
- https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
- verify-sig? (
- https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
- )
- "
-
- if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
- fi
-
- BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
-fi
-
-S="${WORKDIR}/${MY_P}"
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
- sys-libs/zlib:=
- virtual/libcrypt:=
- gcrypt? ( dev-libs/libgcrypt:= )
- ldap? (
- >=net-nds/openldap-2.1.30-r1:=
- sasl? (
- dev-libs/cyrus-sasl
- net-nds/openldap:=[sasl]
- )
- )
- pam? ( sys-libs/pam )
- sasl? ( dev-libs/cyrus-sasl )
- selinux? ( sys-libs/libselinux )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- ssl? ( dev-libs/openssl:= )
- sssd? ( sys-auth/sssd[sudo(+)] )
-"
-RDEPEND="
- ${DEPEND}
- >=app-misc/editor-wrapper-3
- virtual/editor
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- selinux? ( sec-policy/selinux-sudo )
- sendmail? ( virtual/mta )
-"
-BDEPEND+="
- app-alternatives/yacc
- virtual/pkgconfig
-"
-
-REQUIRED_USE="
- ?? ( pam skey )
- ?? ( gcrypt ssl )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
- default
-
- if [[ ${PV} == 9999 ]] ; then
- eautoreconf
- else
- elibtoolize
- fi
-}
-
-set_secure_path() {
- # First extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
-
- case "${SECURE_PATH}" in
- */usr/sbin*)
- ;;
- *)
- SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
-
- if [[ -z ${SECURE_PATH} ]] ; then
- ewarn " Failed to detect SECURE_PATH, please report this"
- fi
-
- # Then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:${thisp}
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- SECURE_PATH=${newpath#:}
- }
- cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
- # Finally, strip gcc paths, bug #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${SECURE_PATH} ; do
- for e ; do
- [[ ${thisp} == ${e} ]] && continue 2 ;
- done
- newpath+=:${thisp}
- done
- SECURE_PATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-}
-
-src_configure() {
- local SECURE_PATH
-
- set_secure_path
-
- # bug #767712
- tc-export PKG_CONFIG
-
- # https://github.com/sudo-project/sudo/issues/420
- append-cflags -std=gnu17
-
- # - audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # - plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- local myeconfargs=(
- # We set all of the relevant options by ourselves (patched
- # into the toolchain) and setting these in the build system
- # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
- # (it'll downgrade to =2). So, this has no functional effect on
- # the hardening for users. It's safe.
- --disable-hardening
-
- # requires some python eclass
- --disable-python
- --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
- --enable-zlib=system
- --with-editor="${EPREFIX}"/usr/libexec/editor
- --with-env-editor
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
- --with-rundir="${EPREFIX}"/run/sudo
- --with-vardir="${EPREFIX}"/var/db/sudo
- --without-linux-audit
- --without-opie
- $(use_enable gcrypt)
- $(use_enable nls)
- $(use_enable sasl)
- $(use_enable ssl openssl)
- $(use_with ldap)
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
- $(use_with offensive insults)
- $(use_with offensive all-insults)
- $(use_with pam)
- $(use_with pam pam-login)
- $(use_with secure-path)
- "$(use_with secure-path secure-path-value "${SECURE_PATH}")"
- $(use_with selinux)
- $(use_with sendmail)
- $(use_with skey)
- $(use_with sssd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP.md
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP.md for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
- EOF
-
- if use sasl ; then
- cat <<-EOF >> "${T}"/ldap.conf.sudo
-
- # SASL directives: use_sasl, sasl_mech, sasl_auth_id
- # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
- EOF
- fi
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
-
- insinto /etc/openldap/schema
- newins docs/schema.OpenLDAP sudo.schema
- fi
-
- if use pam ; then
- pamd_mimic system-auth sudo auth account session
- pamd_mimic system-auth sudo-i auth account session
- fi
-
- keepdir /var/db/sudo/lectured
- fperms 0700 /var/db/sudo/lectured
- # bug #652958
- fperms 0711 /var/db/sudo
-
- # Don't install into /run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${ED}"/run || die
-
- # bug #697812
- find "${ED}" -type f -name "*.la" -delete || die
-}
-
-pkg_postinst() {
- tmpfiles_process sudo.conf
-
- # bug #652958
- local sudo_db="${EROOT}/var/db/sudo"
- if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
- chmod 711 "${sudo_db}" || die
- fi
-
- if use ldap ; then
- ewarn
- ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in ${ROOT}/etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
^ permalink raw reply related [flat|nested] 8+ messages in thread
end of thread, other threads:[~2025-02-23 1:46 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-08 15:04 [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/, app-admin/sudo/files/ Doug Goldstein
-- strict thread matches above, loose matches on Subject: below --
2019-11-07 9:54 Lars Wendler
2020-03-30 15:21 Thomas Deutschmann
2022-06-07 22:20 Sam James
2022-10-28 20:11 Sam James
2023-02-15 4:05 Sam James
2023-04-28 6:05 Sam James
2025-02-23 1:45 Sam James
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox