public inbox for gentoo-commits@lists.gentoo.org
 help / color / mirror / Atom feed
* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2020-09-07 20:44 Mike Gilbert
  0 siblings, 0 replies; 9+ messages in thread
From: Mike Gilbert @ 2020-09-07 20:44 UTC (permalink / raw
  To: gentoo-commits

commit:     5ada6ccb950343e144eb49969b1f288fd930dc0a
Author:     David Michael <fedora.dm0 <AT> gmail <DOT> com>
AuthorDate: Thu Sep  3 12:49:40 2020 +0000
Commit:     Mike Gilbert <floppym <AT> gentoo <DOT> org>
CommitDate: Mon Sep  7 20:44:01 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5ada6ccb

app-admin/sudo: glibc-2.32 port

Closes: https://bugs.gentoo.org/739016
Package-Manager: Portage-3.0.4, Repoman-2.3.23
Signed-off-by: David Michael <fedora.dm0 <AT> gmail.com>
Signed-off-by: Mike Gilbert <floppym <AT> gentoo.org>

 app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch | 308 +++++++++++++++++++++++
 app-admin/sudo/sudo-1.9.2-r1.ebuild              | 265 +++++++++++++++++++
 2 files changed, 573 insertions(+)

diff --git a/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch b/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch
new file mode 100644
index 00000000000..6134fe736d0
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch
@@ -0,0 +1,308 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1598395693 21600
+# Node ID e30482f26924b07775d87ae591e54ad72e794d5e
+# Parent  1ede927d99b3cb06ba514c9fd2fd7fa9a014a1b2
+Use sigabbrev_np(3) to access signal abbreviations if supported.
+glibc-2.32 has removed sys_sigabbrev[], we can use sigabbrev_np(3) instead.
+
+diff -r 1ede927d99b3 -r e30482f26924 config.h.in
+--- a/config.h.in	Mon Aug 17 19:37:09 2020 -0600
++++ b/config.h.in	Tue Aug 25 16:48:13 2020 -0600
+@@ -740,6 +740,9 @@
+ /* Define to 1 if you have the `sig2str' function. */
+ #undef HAVE_SIG2STR
+ 
++/* Define to 1 if you have the `sigabbrev_np' function. */
++#undef HAVE_SIGABBREV_NP
++
+ /* Define to 1 if you use S/Key. */
+ #undef HAVE_SKEY
+ 
+diff -r 1ede927d99b3 -r e30482f26924 configure
+--- a/configure	Mon Aug 17 19:37:09 2020 -0600
++++ b/configure	Tue Aug 25 16:48:13 2020 -0600
+@@ -23687,9 +23687,21 @@
+ 
+ 
+ if test x"${ac_cv_func_sig2str}${ac_cv_func_str2sig}" != x"yesyes"; then
+-    COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
+-    HAVE_SIGNAME="false"
+-    ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" "
++    for ac_func in sigabbrev_np
++do :
++  ac_fn_c_check_func "$LINENO" "sigabbrev_np" "ac_cv_func_sigabbrev_np"
++if test "x$ac_cv_func_sigabbrev_np" = xyes; then :
++  cat >>confdefs.h <<_ACEOF
++#define HAVE_SIGABBREV_NP 1
++_ACEOF
++
++fi
++done
++
++    if test x"${ac_cv_func_sigabbrev_np}" != x"yes"; then
++	COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
++	HAVE_SIGNAME="false"
++	ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" "
+ $ac_includes_default
+ #include <signal.h>
+ 
+@@ -23705,7 +23717,7 @@
+ _ACEOF
+ if test $ac_have_decl = 1; then :
+ 
+-	HAVE_SIGNAME="true"
++	    HAVE_SIGNAME="true"
+ 
+ fi
+ ac_fn_c_check_decl "$LINENO" "_sys_signame" "ac_cv_have_decl__sys_signame" "
+@@ -23724,7 +23736,7 @@
+ _ACEOF
+ if test $ac_have_decl = 1; then :
+ 
+-	HAVE_SIGNAME="true"
++	    HAVE_SIGNAME="true"
+ 
+ fi
+ ac_fn_c_check_decl "$LINENO" "sys_sigabbrev" "ac_cv_have_decl_sys_sigabbrev" "
+@@ -23743,12 +23755,12 @@
+ _ACEOF
+ if test $ac_have_decl = 1; then :
+ 
+-	HAVE_SIGNAME="true"
+-
+-fi
+-
+-    if test "$HAVE_SIGNAME" != "true"; then
+-	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5
++	    HAVE_SIGNAME="true"
++
++fi
++
++	if test "$HAVE_SIGNAME" != "true"; then
++	    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5
+ $as_echo_n "checking for undeclared sys_sigabbrev... " >&6; }
+ if ${sudo_cv_var_sys_sigabbrev+:} false; then :
+   $as_echo_n "(cached) " >&6
+@@ -23777,17 +23789,18 @@
+ fi
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_sys_sigabbrev" >&5
+ $as_echo "$sudo_cv_var_sys_sigabbrev" >&6; }
+-	if test "$sudo_cv_var_sys_sigabbrev" = yes; then
+-	    $as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h
+-
+-	else
+-	    case " $LIBOBJS " in
++	    if test "$sudo_cv_var_sys_sigabbrev" = yes; then
++		$as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h
++
++	    else
++		case " $LIBOBJS " in
+   *" signame.$ac_objext "* ) ;;
+   *) LIBOBJS="$LIBOBJS signame.$ac_objext"
+  ;;
+ esac
+ 
+-	    SIGNAME=signame.lo
++		SIGNAME=signame.lo
++	    fi
+ 	fi
+     fi
+ fi
+diff -r 1ede927d99b3 -r e30482f26924 configure.ac
+--- a/configure.ac	Mon Aug 17 19:37:09 2020 -0600
++++ b/configure.ac	Tue Aug 25 16:48:13 2020 -0600
+@@ -3498,29 +3498,32 @@
+ dnl Also enable unit tests for sig2str() and str2sig().
+ dnl
+ if test x"${ac_cv_func_sig2str}${ac_cv_func_str2sig}" != x"yesyes"; then
+-    COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
+-    HAVE_SIGNAME="false"
+-    AC_CHECK_DECLS([sys_signame, _sys_signame, sys_sigabbrev], [
+-	HAVE_SIGNAME="true"
+-    ], [ ], [
++    AC_CHECK_FUNCS([sigabbrev_np])
++    if test x"${ac_cv_func_sigabbrev_np}" != x"yes"; then
++	COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
++	HAVE_SIGNAME="false"
++	AC_CHECK_DECLS([sys_signame, _sys_signame, sys_sigabbrev], [
++	    HAVE_SIGNAME="true"
++	], [ ], [
+ AC_INCLUDES_DEFAULT
+ #include <signal.h>
+-    ])
+-    if test "$HAVE_SIGNAME" != "true"; then
+-	AC_CACHE_CHECK([for undeclared sys_sigabbrev],
+-	    [sudo_cv_var_sys_sigabbrev],
+-	    [AC_LINK_IFELSE(
+-		[AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])],
+-		    [sudo_cv_var_sys_sigabbrev=yes],
+-		    [sudo_cv_var_sys_sigabbrev=no]
+-		)
+-	    ]
+-	)
+-	if test "$sudo_cv_var_sys_sigabbrev" = yes; then
+-	    AC_DEFINE(HAVE_SYS_SIGABBREV)
+-	else
+-	    AC_LIBOBJ(signame)
+-	    SIGNAME=signame.lo
++	])
++	if test "$HAVE_SIGNAME" != "true"; then
++	    AC_CACHE_CHECK([for undeclared sys_sigabbrev],
++		[sudo_cv_var_sys_sigabbrev],
++		[AC_LINK_IFELSE(
++		    [AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])],
++			[sudo_cv_var_sys_sigabbrev=yes],
++			[sudo_cv_var_sys_sigabbrev=no]
++		    )
++		]
++	    )
++	    if test "$sudo_cv_var_sys_sigabbrev" = yes; then
++		AC_DEFINE(HAVE_SYS_SIGABBREV)
++	    else
++		AC_LIBOBJ(signame)
++		SIGNAME=signame.lo
++	    fi
+ 	fi
+     fi
+ fi
+diff -r 1ede927d99b3 -r e30482f26924 lib/util/sig2str.c
+--- a/lib/util/sig2str.c	Mon Aug 17 19:37:09 2020 -0600
++++ b/lib/util/sig2str.c	Tue Aug 25 16:48:13 2020 -0600
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2012-2015, 2017-2019 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2012-2015, 2017-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -32,20 +32,24 @@
+ #include <unistd.h>
+ 
+ #include "sudo_compat.h"
++#include "sudo_util.h"
+ 
+-#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
+-#  define sudo_sys_signame	sys_signame
+-#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
+-#  define sudo_sys_signame	_sys_signame
+-#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1
+-#  define sudo_sys_signame	sys_sigabbrev
+-#else
+-# ifdef HAVE_SYS_SIGABBREV
+-   /* sys_sigabbrev is not declared by glibc */
+-#  define sudo_sys_signame	sys_sigabbrev
++#if !defined(HAVE_SIGABBREV_NP)
++# if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
++#   define sigabbrev_np(_x)	sys_signame[(_x)]
++# elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
++#   define sigabbrev_np(_x)	_sys_signame[(_x)]
++# elif defined(HAVE_SYS_SIGABBREV)
++#   define sigabbrev_np(_x)	sys_sigabbrev[(_x)]
++#  if defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 0
++    /* sys_sigabbrev is not declared by glibc */
++    extern const char *const sys_sigabbrev[NSIG];
++#  endif
++# else
++#   define sigabbrev_np(_x)	sudo_sys_signame[(_x)]
++    extern const char *const sudo_sys_signame[NSIG];
+ # endif
+-extern const char *const sudo_sys_signame[NSIG];
+-#endif
++#endif /* !HAVE_SIGABBREV_NP */
+ 
+ /*
+  * Translate signal number to name.
+@@ -77,15 +81,18 @@
+ 	return 0;
+     }
+ #endif
+-    if (signo > 0 && signo < NSIG && sudo_sys_signame[signo] != NULL) {
+-	strlcpy(signame, sudo_sys_signame[signo], SIG2STR_MAX);
+-	/* Make sure we always return an upper case signame. */
+-	if (islower((unsigned char)signame[0])) {
+-	    int i;
+-	    for (i = 0; signame[i] != '\0'; i++)
+-		signame[i] = toupper((unsigned char)signame[i]);
++    if (signo > 0 && signo < NSIG) {
++	const char *cp = sigabbrev_np(signo);
++	if (cp != NULL) {
++	    strlcpy(signame, cp, SIG2STR_MAX);
++	    /* Make sure we always return an upper case signame. */
++	    if (islower((unsigned char)signame[0])) {
++		int i;
++		for (i = 0; signame[i] != '\0'; i++)
++		    signame[i] = toupper((unsigned char)signame[i]);
++	    }
++	    return 0;
+ 	}
+-	return 0;
+     }
+     errno = EINVAL;
+     return -1;
+diff -r 1ede927d99b3 -r e30482f26924 lib/util/str2sig.c
+--- a/lib/util/str2sig.c	Mon Aug 17 19:37:09 2020 -0600
++++ b/lib/util/str2sig.c	Tue Aug 25 16:48:13 2020 -0600
+@@ -1,7 +1,7 @@
+ /*
+  * SPDX-License-Identifier: ISC
+  *
+- * Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
++ * Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
+  *
+  * Permission to use, copy, modify, and distribute this software for any
+  * purpose with or without fee is hereby granted, provided that the above
+@@ -37,19 +37,22 @@
+ #include "sudo_compat.h"
+ #include "sudo_util.h"
+ 
+-#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
+-#  define sudo_sys_signame	sys_signame
+-#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
+-#  define sudo_sys_signame	_sys_signame
+-#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1
+-#  define sudo_sys_signame	sys_sigabbrev
+-#else
+-# ifdef HAVE_SYS_SIGABBREV
+-   /* sys_sigabbrev is not declared by glibc */
+-#  define sudo_sys_signame	sys_sigabbrev
++#if !defined(HAVE_SIGABBREV_NP)
++# if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
++#   define sigabbrev_np(_x)	sys_signame[(_x)]
++# elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
++#   define sigabbrev_np(_x)	_sys_signame[(_x)]
++# elif defined(HAVE_SYS_SIGABBREV)
++#   define sigabbrev_np(_x)	sys_sigabbrev[(_x)]
++#  if defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 0
++    /* sys_sigabbrev is not declared by glibc */
++    extern const char *const sys_sigabbrev[NSIG];
++#  endif
++# else
++#   define sigabbrev_np(_x)	sudo_sys_signame[(_x)]
++    extern const char *const sudo_sys_signame[NSIG];
+ # endif
+-extern const char *const sudo_sys_signame[NSIG];
+-#endif
++#endif /* !HAVE_SIGABBREV_NP */
+ 
+ /*
+  * Many systems use aliases for source backward compatibility.
+@@ -154,11 +157,11 @@
+ 	}
+     }
+ 
+-    /* Check sys_signame[]. */
+     for (signo = 1; signo < NSIG; signo++) {
+-	if (sudo_sys_signame[signo] != NULL) {
++	const char *cp = sigabbrev_np(signo);
++	if (cp != NULL) {
+ 	    /* On macOS sys_signame[] may contain lower-case names. */
+-	    if (strcasecmp(signame, sudo_sys_signame[signo]) == 0) {
++	    if (strcasecmp(signame, cp) == 0) {
+ 		*result = signo;
+ 		return 0;
+ 	    }
+

diff --git a/app-admin/sudo/sudo-1.9.2-r1.ebuild b/app-admin/sudo/sudo-1.9.2-r1.ebuild
new file mode 100644
index 00000000000..1f1f6e60dd3
--- /dev/null
+++ b/app-admin/sudo/sudo-1.9.2-r1.ebuild
@@ -0,0 +1,265 @@
+# Copyright 1999-2020 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit pam multilib libtool systemd tmpfiles
+
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="https://www.sudo.ws/"
+if [[ ${PV} == "9999" ]] ; then
+	inherit mercurial
+	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+	uri_prefix=
+	case ${P} in
+		*_beta*|*_rc*) uri_prefix=beta/ ;;
+	esac
+
+	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
+	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris"
+	fi
+fi
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="ISC BSD"
+SLOT="0"
+IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+
+DEPEND="
+	sys-libs/zlib:=
+	gcrypt? ( dev-libs/libgcrypt:= )
+	ldap? (
+		>=net-nds/openldap-2.1.30-r1
+		sasl? (
+			dev-libs/cyrus-sasl
+			net-nds/openldap[sasl]
+		)
+	)
+	pam? ( sys-libs/pam )
+	sasl? ( dev-libs/cyrus-sasl )
+	skey? ( >=sys-auth/skey-1.1.5-r1 )
+	ssl? (
+		!libressl? ( dev-libs/openssl:0= )
+		libressl? ( dev-libs/libressl:0= )
+	)
+	sssd? ( sys-auth/sssd[sudo] )
+"
+RDEPEND="
+	${DEPEND}
+	>=app-misc/editor-wrapper-3
+	virtual/editor
+	ldap? ( dev-lang/perl )
+	pam? ( sys-auth/pambase )
+	selinux? ( sec-policy/selinux-sudo )
+	sendmail? ( virtual/mta )
+"
+BDEPEND="
+	sys-devel/bison
+	virtual/pkgconfig
+"
+
+S="${WORKDIR}/${MY_P}"
+
+REQUIRED_USE="
+	pam? ( !skey )
+	skey? ( !pam )
+"
+
+REQUIRED_USE="?? ( gcrypt ssl )"
+
+MAKEOPTS+=" SAMPLES="
+
+PATCHES=( "${FILESDIR}/${P}-glibc-2.32.patch" )  # drop for releases after 1.9.2
+
+src_prepare() {
+	default
+	elibtoolize
+}
+
+set_secure_path() {
+	# FIXME: secure_path is a compile time setting. using PATH or
+	# ROOTPATH is not perfect, env-update may invalidate this, but until it
+	# is available as a sudoers setting this will have to do.
+	einfo "Setting secure_path ..."
+
+	# first extract the default ROOTPATH from build env
+	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
+		echo "${ROOTPATH}")
+		case "${SECURE_PATH}" in
+			*/usr/sbin*) ;;
+			*) SECURE_PATH=$(unset PATH;
+				. "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+				;;
+		esac
+	if [[ -z ${SECURE_PATH} ]] ; then
+		ewarn "	Failed to detect SECURE_PATH, please report this"
+	fi
+
+	# then remove duplicate path entries
+	cleanpath() {
+		local newpath thisp IFS=:
+		for thisp in $1 ; do
+			if [[ :${newpath}: != *:${thisp}:* ]] ; then
+				newpath+=:${thisp}
+			else
+				einfo "   Duplicate entry ${thisp} removed..."
+			fi
+		done
+		SECURE_PATH=${newpath#:}
+	}
+	cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+
+	# finally, strip gcc paths #136027
+	rmpath() {
+		local e newpath thisp IFS=:
+		for thisp in ${SECURE_PATH} ; do
+			for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
+			newpath+=:${thisp}
+		done
+		SECURE_PATH=${newpath#:}
+	}
+	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
+
+	einfo "... done"
+}
+
+src_configure() {
+	local SECURE_PATH
+	set_secure_path
+
+	# audit: somebody got to explain me how I can test this before I
+	# enable it.. - Diego
+	# plugindir: autoconf code is crappy and does not delay evaluation
+	# until `make` time, so we have to use a full path here rather than
+	# basing off other values.
+	myeconfargs=(
+		# requires some python eclass
+		--disable-python
+		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+		--enable-zlib=system
+		--with-editor="${EPREFIX}"/usr/libexec/editor
+		--with-env-editor
+		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
+		--with-rundir="${EPREFIX}"/run/sudo
+		--with-vardir="${EPREFIX}"/var/db/sudo
+		--without-linux-audit
+		--without-opie
+		$(use_enable gcrypt)
+		$(use_enable nls)
+		$(use_enable sasl)
+		$(use_enable ssl openssl)
+		$(use_with ldap)
+		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
+		$(use_with offensive insults)
+		$(use_with offensive all-insults)
+		$(use_with pam)
+		$(use_with pam pam-login)
+		$(use_with secure-path secure-path "${SECURE_PATH}")
+		$(use_with selinux)
+		$(use_with sendmail)
+		$(use_with skey)
+		$(use_with sssd)
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+
+	if use ldap ; then
+		dodoc README.LDAP
+
+		cat <<-EOF > "${T}"/ldap.conf.sudo
+		# See ldap.conf(5) and README.LDAP for details
+		# This file should only be readable by root
+
+		# supported directives: host, port, ssl, ldap_version
+		# uri, binddn, bindpw, sudoers_base, sudoers_debug
+		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
+		EOF
+
+		if use sasl ; then
+			cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
+			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+			EOF
+		fi
+
+		insinto /etc
+		doins "${T}"/ldap.conf.sudo
+		fperms 0440 /etc/ldap.conf.sudo
+
+		insinto /etc/openldap/schema
+		newins doc/schema.OpenLDAP sudo.schema
+	fi
+
+	pamd_mimic system-auth sudo auth account session
+	pamd_mimic system-auth sudo-i auth account session
+
+	keepdir /var/db/sudo/lectured
+	fperms 0700 /var/db/sudo/lectured
+	fperms 0711 /var/db/sudo #652958
+
+	# Don't install into /run as that is a tmpfs most of the time
+	# (bug #504854)
+	rm -rf "${ED}"/run || die
+
+	find "${ED}" -type f -name "*.la" -delete || die #697812
+}
+
+pkg_postinst() {
+	tmpfiles_process sudo.conf
+
+	#652958
+	local sudo_db="${EROOT}/var/db/sudo"
+	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
+		chmod 711 "${sudo_db}" || die
+	fi
+
+	if use ldap ; then
+		ewarn
+		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
+		ewarn
+		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
+			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+			ewarn "configured in /etc/nsswitch.conf."
+			ewarn
+			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
+			ewarn "  sudoers: ldap files"
+			ewarn
+		fi
+	fi
+	if use prefix ; then
+		ewarn
+		ewarn "To use sudo, you need to change file ownership and permissions"
+		ewarn "with root privileges, as follows:"
+		ewarn
+		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
+		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
+		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
+		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
+		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
+		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
+		ewarn
+	fi
+
+	elog "To use the -A (askpass) option, you need to install a compatible"
+	elog "password program from the following list. Starred packages will"
+	elog "automatically register for the use with sudo (but will not force"
+	elog "the -A option):"
+	elog ""
+	elog " [*] net-misc/ssh-askpass-fullscreen"
+	elog "     net-misc/x11-ssh-askpass"
+	elog ""
+	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+	elog "variable to the program you want to use."
+}


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2020-11-24 17:32 Lars Wendler
  0 siblings, 0 replies; 9+ messages in thread
From: Lars Wendler @ 2020-11-24 17:32 UTC (permalink / raw
  To: gentoo-commits

commit:     29c55bb31c9ab70d0ff0235432ab646b29f77188
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Nov 24 17:32:06 2020 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Nov 24 17:32:16 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29c55bb3

app-admin/sudo: Removed old

Package-Manager: Portage-3.0.10, Repoman-3.0.2
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 app-admin/sudo/Manifest                          |   1 -
 app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch | 308 -----------------------
 app-admin/sudo/sudo-1.9.2-r1.ebuild              | 265 -------------------
 app-admin/sudo/sudo-1.9.2.ebuild                 | 263 -------------------
 4 files changed, 837 deletions(-)

diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index 46bb87376cb..af5d1aa60cb 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,3 +1,2 @@
-DIST sudo-1.9.2.tar.gz 3890859 BLAKE2B 879917b8045c999a17ef36006732509aa546ee6bb04de77191fb637aa0420d54f9e51ec69b697c22119d638393e9c84efcc1ca5e6e8ee5f0c08bb1ca07f3acea SHA512 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21
 DIST sudo-1.9.3p1.tar.gz 3958071 BLAKE2B b681c120faa5dc7f25e27c1be423d68cea70f63dcdfea2183fd386a34dec0376555453399d3f8886c66c6507343648d40b59a058710432154061b210df2a704c SHA512 3ad13fd03e5b371fd6bf7909731ffc11431d2182a744b654f7e5d4b810e47955d49bc78f551afe13ec56acbce694139c33a15bc022cea41b17af5496b8b7f89f
 DIST sudo-1.9.4rc1.tar.gz 3990112 BLAKE2B f08f5651c6688bcf9ebaf95fcadeb5a78e7f78201d1d67fb9808b950df1f882b80b162acb79ee37c2b786045286202746fcb82c4659d57cafdfe74d4da79e86e SHA512 cf745dd1f798097fff38b6c74e9446005e589990b3580ba42e1af6bd68fbf084d6da836795a83f5222274ffff305a0899aae103723e68fd1c0ccaee7f16a477a

diff --git a/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch b/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch
deleted file mode 100644
index 6134fe736d0..00000000000
--- a/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch
+++ /dev/null
@@ -1,308 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@sudo.ws>
-# Date 1598395693 21600
-# Node ID e30482f26924b07775d87ae591e54ad72e794d5e
-# Parent  1ede927d99b3cb06ba514c9fd2fd7fa9a014a1b2
-Use sigabbrev_np(3) to access signal abbreviations if supported.
-glibc-2.32 has removed sys_sigabbrev[], we can use sigabbrev_np(3) instead.
-
-diff -r 1ede927d99b3 -r e30482f26924 config.h.in
---- a/config.h.in	Mon Aug 17 19:37:09 2020 -0600
-+++ b/config.h.in	Tue Aug 25 16:48:13 2020 -0600
-@@ -740,6 +740,9 @@
- /* Define to 1 if you have the `sig2str' function. */
- #undef HAVE_SIG2STR
- 
-+/* Define to 1 if you have the `sigabbrev_np' function. */
-+#undef HAVE_SIGABBREV_NP
-+
- /* Define to 1 if you use S/Key. */
- #undef HAVE_SKEY
- 
-diff -r 1ede927d99b3 -r e30482f26924 configure
---- a/configure	Mon Aug 17 19:37:09 2020 -0600
-+++ b/configure	Tue Aug 25 16:48:13 2020 -0600
-@@ -23687,9 +23687,21 @@
- 
- 
- if test x"${ac_cv_func_sig2str}${ac_cv_func_str2sig}" != x"yesyes"; then
--    COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
--    HAVE_SIGNAME="false"
--    ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" "
-+    for ac_func in sigabbrev_np
-+do :
-+  ac_fn_c_check_func "$LINENO" "sigabbrev_np" "ac_cv_func_sigabbrev_np"
-+if test "x$ac_cv_func_sigabbrev_np" = xyes; then :
-+  cat >>confdefs.h <<_ACEOF
-+#define HAVE_SIGABBREV_NP 1
-+_ACEOF
-+
-+fi
-+done
-+
-+    if test x"${ac_cv_func_sigabbrev_np}" != x"yes"; then
-+	COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
-+	HAVE_SIGNAME="false"
-+	ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" "
- $ac_includes_default
- #include <signal.h>
- 
-@@ -23705,7 +23717,7 @@
- _ACEOF
- if test $ac_have_decl = 1; then :
- 
--	HAVE_SIGNAME="true"
-+	    HAVE_SIGNAME="true"
- 
- fi
- ac_fn_c_check_decl "$LINENO" "_sys_signame" "ac_cv_have_decl__sys_signame" "
-@@ -23724,7 +23736,7 @@
- _ACEOF
- if test $ac_have_decl = 1; then :
- 
--	HAVE_SIGNAME="true"
-+	    HAVE_SIGNAME="true"
- 
- fi
- ac_fn_c_check_decl "$LINENO" "sys_sigabbrev" "ac_cv_have_decl_sys_sigabbrev" "
-@@ -23743,12 +23755,12 @@
- _ACEOF
- if test $ac_have_decl = 1; then :
- 
--	HAVE_SIGNAME="true"
--
--fi
--
--    if test "$HAVE_SIGNAME" != "true"; then
--	{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5
-+	    HAVE_SIGNAME="true"
-+
-+fi
-+
-+	if test "$HAVE_SIGNAME" != "true"; then
-+	    { $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5
- $as_echo_n "checking for undeclared sys_sigabbrev... " >&6; }
- if ${sudo_cv_var_sys_sigabbrev+:} false; then :
-   $as_echo_n "(cached) " >&6
-@@ -23777,17 +23789,18 @@
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_sys_sigabbrev" >&5
- $as_echo "$sudo_cv_var_sys_sigabbrev" >&6; }
--	if test "$sudo_cv_var_sys_sigabbrev" = yes; then
--	    $as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h
--
--	else
--	    case " $LIBOBJS " in
-+	    if test "$sudo_cv_var_sys_sigabbrev" = yes; then
-+		$as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h
-+
-+	    else
-+		case " $LIBOBJS " in
-   *" signame.$ac_objext "* ) ;;
-   *) LIBOBJS="$LIBOBJS signame.$ac_objext"
-  ;;
- esac
- 
--	    SIGNAME=signame.lo
-+		SIGNAME=signame.lo
-+	    fi
- 	fi
-     fi
- fi
-diff -r 1ede927d99b3 -r e30482f26924 configure.ac
---- a/configure.ac	Mon Aug 17 19:37:09 2020 -0600
-+++ b/configure.ac	Tue Aug 25 16:48:13 2020 -0600
-@@ -3498,29 +3498,32 @@
- dnl Also enable unit tests for sig2str() and str2sig().
- dnl
- if test x"${ac_cv_func_sig2str}${ac_cv_func_str2sig}" != x"yesyes"; then
--    COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
--    HAVE_SIGNAME="false"
--    AC_CHECK_DECLS([sys_signame, _sys_signame, sys_sigabbrev], [
--	HAVE_SIGNAME="true"
--    ], [ ], [
-+    AC_CHECK_FUNCS([sigabbrev_np])
-+    if test x"${ac_cv_func_sigabbrev_np}" != x"yes"; then
-+	COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
-+	HAVE_SIGNAME="false"
-+	AC_CHECK_DECLS([sys_signame, _sys_signame, sys_sigabbrev], [
-+	    HAVE_SIGNAME="true"
-+	], [ ], [
- AC_INCLUDES_DEFAULT
- #include <signal.h>
--    ])
--    if test "$HAVE_SIGNAME" != "true"; then
--	AC_CACHE_CHECK([for undeclared sys_sigabbrev],
--	    [sudo_cv_var_sys_sigabbrev],
--	    [AC_LINK_IFELSE(
--		[AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])],
--		    [sudo_cv_var_sys_sigabbrev=yes],
--		    [sudo_cv_var_sys_sigabbrev=no]
--		)
--	    ]
--	)
--	if test "$sudo_cv_var_sys_sigabbrev" = yes; then
--	    AC_DEFINE(HAVE_SYS_SIGABBREV)
--	else
--	    AC_LIBOBJ(signame)
--	    SIGNAME=signame.lo
-+	])
-+	if test "$HAVE_SIGNAME" != "true"; then
-+	    AC_CACHE_CHECK([for undeclared sys_sigabbrev],
-+		[sudo_cv_var_sys_sigabbrev],
-+		[AC_LINK_IFELSE(
-+		    [AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])],
-+			[sudo_cv_var_sys_sigabbrev=yes],
-+			[sudo_cv_var_sys_sigabbrev=no]
-+		    )
-+		]
-+	    )
-+	    if test "$sudo_cv_var_sys_sigabbrev" = yes; then
-+		AC_DEFINE(HAVE_SYS_SIGABBREV)
-+	    else
-+		AC_LIBOBJ(signame)
-+		SIGNAME=signame.lo
-+	    fi
- 	fi
-     fi
- fi
-diff -r 1ede927d99b3 -r e30482f26924 lib/util/sig2str.c
---- a/lib/util/sig2str.c	Mon Aug 17 19:37:09 2020 -0600
-+++ b/lib/util/sig2str.c	Tue Aug 25 16:48:13 2020 -0600
-@@ -1,7 +1,7 @@
- /*
-  * SPDX-License-Identifier: ISC
-  *
-- * Copyright (c) 2012-2015, 2017-2019 Todd C. Miller <Todd.Miller@sudo.ws>
-+ * Copyright (c) 2012-2015, 2017-2020 Todd C. Miller <Todd.Miller@sudo.ws>
-  *
-  * Permission to use, copy, modify, and distribute this software for any
-  * purpose with or without fee is hereby granted, provided that the above
-@@ -32,20 +32,24 @@
- #include <unistd.h>
- 
- #include "sudo_compat.h"
-+#include "sudo_util.h"
- 
--#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
--#  define sudo_sys_signame	sys_signame
--#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
--#  define sudo_sys_signame	_sys_signame
--#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1
--#  define sudo_sys_signame	sys_sigabbrev
--#else
--# ifdef HAVE_SYS_SIGABBREV
--   /* sys_sigabbrev is not declared by glibc */
--#  define sudo_sys_signame	sys_sigabbrev
-+#if !defined(HAVE_SIGABBREV_NP)
-+# if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
-+#   define sigabbrev_np(_x)	sys_signame[(_x)]
-+# elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
-+#   define sigabbrev_np(_x)	_sys_signame[(_x)]
-+# elif defined(HAVE_SYS_SIGABBREV)
-+#   define sigabbrev_np(_x)	sys_sigabbrev[(_x)]
-+#  if defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 0
-+    /* sys_sigabbrev is not declared by glibc */
-+    extern const char *const sys_sigabbrev[NSIG];
-+#  endif
-+# else
-+#   define sigabbrev_np(_x)	sudo_sys_signame[(_x)]
-+    extern const char *const sudo_sys_signame[NSIG];
- # endif
--extern const char *const sudo_sys_signame[NSIG];
--#endif
-+#endif /* !HAVE_SIGABBREV_NP */
- 
- /*
-  * Translate signal number to name.
-@@ -77,15 +81,18 @@
- 	return 0;
-     }
- #endif
--    if (signo > 0 && signo < NSIG && sudo_sys_signame[signo] != NULL) {
--	strlcpy(signame, sudo_sys_signame[signo], SIG2STR_MAX);
--	/* Make sure we always return an upper case signame. */
--	if (islower((unsigned char)signame[0])) {
--	    int i;
--	    for (i = 0; signame[i] != '\0'; i++)
--		signame[i] = toupper((unsigned char)signame[i]);
-+    if (signo > 0 && signo < NSIG) {
-+	const char *cp = sigabbrev_np(signo);
-+	if (cp != NULL) {
-+	    strlcpy(signame, cp, SIG2STR_MAX);
-+	    /* Make sure we always return an upper case signame. */
-+	    if (islower((unsigned char)signame[0])) {
-+		int i;
-+		for (i = 0; signame[i] != '\0'; i++)
-+		    signame[i] = toupper((unsigned char)signame[i]);
-+	    }
-+	    return 0;
- 	}
--	return 0;
-     }
-     errno = EINVAL;
-     return -1;
-diff -r 1ede927d99b3 -r e30482f26924 lib/util/str2sig.c
---- a/lib/util/str2sig.c	Mon Aug 17 19:37:09 2020 -0600
-+++ b/lib/util/str2sig.c	Tue Aug 25 16:48:13 2020 -0600
-@@ -1,7 +1,7 @@
- /*
-  * SPDX-License-Identifier: ISC
-  *
-- * Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
-+ * Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
-  *
-  * Permission to use, copy, modify, and distribute this software for any
-  * purpose with or without fee is hereby granted, provided that the above
-@@ -37,19 +37,22 @@
- #include "sudo_compat.h"
- #include "sudo_util.h"
- 
--#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
--#  define sudo_sys_signame	sys_signame
--#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
--#  define sudo_sys_signame	_sys_signame
--#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1
--#  define sudo_sys_signame	sys_sigabbrev
--#else
--# ifdef HAVE_SYS_SIGABBREV
--   /* sys_sigabbrev is not declared by glibc */
--#  define sudo_sys_signame	sys_sigabbrev
-+#if !defined(HAVE_SIGABBREV_NP)
-+# if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
-+#   define sigabbrev_np(_x)	sys_signame[(_x)]
-+# elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
-+#   define sigabbrev_np(_x)	_sys_signame[(_x)]
-+# elif defined(HAVE_SYS_SIGABBREV)
-+#   define sigabbrev_np(_x)	sys_sigabbrev[(_x)]
-+#  if defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 0
-+    /* sys_sigabbrev is not declared by glibc */
-+    extern const char *const sys_sigabbrev[NSIG];
-+#  endif
-+# else
-+#   define sigabbrev_np(_x)	sudo_sys_signame[(_x)]
-+    extern const char *const sudo_sys_signame[NSIG];
- # endif
--extern const char *const sudo_sys_signame[NSIG];
--#endif
-+#endif /* !HAVE_SIGABBREV_NP */
- 
- /*
-  * Many systems use aliases for source backward compatibility.
-@@ -154,11 +157,11 @@
- 	}
-     }
- 
--    /* Check sys_signame[]. */
-     for (signo = 1; signo < NSIG; signo++) {
--	if (sudo_sys_signame[signo] != NULL) {
-+	const char *cp = sigabbrev_np(signo);
-+	if (cp != NULL) {
- 	    /* On macOS sys_signame[] may contain lower-case names. */
--	    if (strcasecmp(signame, sudo_sys_signame[signo]) == 0) {
-+	    if (strcasecmp(signame, cp) == 0) {
- 		*result = signo;
- 		return 0;
- 	    }
-

diff --git a/app-admin/sudo/sudo-1.9.2-r1.ebuild b/app-admin/sudo/sudo-1.9.2-r1.ebuild
deleted file mode 100644
index 1f1f6e60dd3..00000000000
--- a/app-admin/sudo/sudo-1.9.2-r1.ebuild
+++ /dev/null
@@ -1,265 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool systemd tmpfiles
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
-	inherit mercurial
-	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
-	uri_prefix=
-	case ${P} in
-		*_beta*|*_rc*) uri_prefix=beta/ ;;
-	esac
-
-	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
-		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
-	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris"
-	fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
-	sys-libs/zlib:=
-	gcrypt? ( dev-libs/libgcrypt:= )
-	ldap? (
-		>=net-nds/openldap-2.1.30-r1
-		sasl? (
-			dev-libs/cyrus-sasl
-			net-nds/openldap[sasl]
-		)
-	)
-	pam? ( sys-libs/pam )
-	sasl? ( dev-libs/cyrus-sasl )
-	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	ssl? (
-		!libressl? ( dev-libs/openssl:0= )
-		libressl? ( dev-libs/libressl:0= )
-	)
-	sssd? ( sys-auth/sssd[sudo] )
-"
-RDEPEND="
-	${DEPEND}
-	>=app-misc/editor-wrapper-3
-	virtual/editor
-	ldap? ( dev-lang/perl )
-	pam? ( sys-auth/pambase )
-	selinux? ( sec-policy/selinux-sudo )
-	sendmail? ( virtual/mta )
-"
-BDEPEND="
-	sys-devel/bison
-	virtual/pkgconfig
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
-	pam? ( !skey )
-	skey? ( !pam )
-"
-
-REQUIRED_USE="?? ( gcrypt ssl )"
-
-MAKEOPTS+=" SAMPLES="
-
-PATCHES=( "${FILESDIR}/${P}-glibc-2.32.patch" )  # drop for releases after 1.9.2
-
-src_prepare() {
-	default
-	elibtoolize
-}
-
-set_secure_path() {
-	# FIXME: secure_path is a compile time setting. using PATH or
-	# ROOTPATH is not perfect, env-update may invalidate this, but until it
-	# is available as a sudoers setting this will have to do.
-	einfo "Setting secure_path ..."
-
-	# first extract the default ROOTPATH from build env
-	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
-		echo "${ROOTPATH}")
-		case "${SECURE_PATH}" in
-			*/usr/sbin*) ;;
-			*) SECURE_PATH=$(unset PATH;
-				. "${EPREFIX}"/etc/profile.env; echo "${PATH}")
-				;;
-		esac
-	if [[ -z ${SECURE_PATH} ]] ; then
-		ewarn "	Failed to detect SECURE_PATH, please report this"
-	fi
-
-	# then remove duplicate path entries
-	cleanpath() {
-		local newpath thisp IFS=:
-		for thisp in $1 ; do
-			if [[ :${newpath}: != *:${thisp}:* ]] ; then
-				newpath+=:${thisp}
-			else
-				einfo "   Duplicate entry ${thisp} removed..."
-			fi
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
-	# finally, strip gcc paths #136027
-	rmpath() {
-		local e newpath thisp IFS=:
-		for thisp in ${SECURE_PATH} ; do
-			for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
-			newpath+=:${thisp}
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
-	einfo "... done"
-}
-
-src_configure() {
-	local SECURE_PATH
-	set_secure_path
-
-	# audit: somebody got to explain me how I can test this before I
-	# enable it.. - Diego
-	# plugindir: autoconf code is crappy and does not delay evaluation
-	# until `make` time, so we have to use a full path here rather than
-	# basing off other values.
-	myeconfargs=(
-		# requires some python eclass
-		--disable-python
-		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
-		--enable-zlib=system
-		--with-editor="${EPREFIX}"/usr/libexec/editor
-		--with-env-editor
-		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
-		--with-rundir="${EPREFIX}"/run/sudo
-		--with-vardir="${EPREFIX}"/var/db/sudo
-		--without-linux-audit
-		--without-opie
-		$(use_enable gcrypt)
-		$(use_enable nls)
-		$(use_enable sasl)
-		$(use_enable ssl openssl)
-		$(use_with ldap)
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
-		$(use_with offensive insults)
-		$(use_with offensive all-insults)
-		$(use_with pam)
-		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
-		$(use_with selinux)
-		$(use_with sendmail)
-		$(use_with skey)
-		$(use_with sssd)
-	)
-
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-
-	if use ldap ; then
-		dodoc README.LDAP
-
-		cat <<-EOF > "${T}"/ldap.conf.sudo
-		# See ldap.conf(5) and README.LDAP for details
-		# This file should only be readable by root
-
-		# supported directives: host, port, ssl, ldap_version
-		# uri, binddn, bindpw, sudoers_base, sudoers_debug
-		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
-		EOF
-
-		if use sasl ; then
-			cat <<-EOF >> "${T}"/ldap.conf.sudo
-
-			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
-			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
-			EOF
-		fi
-
-		insinto /etc
-		doins "${T}"/ldap.conf.sudo
-		fperms 0440 /etc/ldap.conf.sudo
-
-		insinto /etc/openldap/schema
-		newins doc/schema.OpenLDAP sudo.schema
-	fi
-
-	pamd_mimic system-auth sudo auth account session
-	pamd_mimic system-auth sudo-i auth account session
-
-	keepdir /var/db/sudo/lectured
-	fperms 0700 /var/db/sudo/lectured
-	fperms 0711 /var/db/sudo #652958
-
-	# Don't install into /run as that is a tmpfs most of the time
-	# (bug #504854)
-	rm -rf "${ED}"/run || die
-
-	find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
-	tmpfiles_process sudo.conf
-
-	#652958
-	local sudo_db="${EROOT}/var/db/sudo"
-	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
-		chmod 711 "${sudo_db}" || die
-	fi
-
-	if use ldap ; then
-		ewarn
-		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
-		ewarn
-		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
-			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in /etc/nsswitch.conf."
-			ewarn
-			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
-			ewarn "  sudoers: ldap files"
-			ewarn
-		fi
-	fi
-	if use prefix ; then
-		ewarn
-		ewarn "To use sudo, you need to change file ownership and permissions"
-		ewarn "with root privileges, as follows:"
-		ewarn
-		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
-		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
-		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
-		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
-		ewarn
-	fi
-
-	elog "To use the -A (askpass) option, you need to install a compatible"
-	elog "password program from the following list. Starred packages will"
-	elog "automatically register for the use with sudo (but will not force"
-	elog "the -A option):"
-	elog ""
-	elog " [*] net-misc/ssh-askpass-fullscreen"
-	elog "     net-misc/x11-ssh-askpass"
-	elog ""
-	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
-	elog "variable to the program you want to use."
-}

diff --git a/app-admin/sudo/sudo-1.9.2.ebuild b/app-admin/sudo/sudo-1.9.2.ebuild
deleted file mode 100644
index ff902d2d4e1..00000000000
--- a/app-admin/sudo/sudo-1.9.2.ebuild
+++ /dev/null
@@ -1,263 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool systemd tmpfiles
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
-	inherit mercurial
-	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
-	uri_prefix=
-	case ${P} in
-		*_beta*|*_rc*) uri_prefix=beta/ ;;
-	esac
-
-	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
-		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
-	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86 ~sparc-solaris"
-	fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
-	sys-libs/zlib:=
-	gcrypt? ( dev-libs/libgcrypt:= )
-	ldap? (
-		>=net-nds/openldap-2.1.30-r1
-		sasl? (
-			dev-libs/cyrus-sasl
-			net-nds/openldap[sasl]
-		)
-	)
-	pam? ( sys-libs/pam )
-	sasl? ( dev-libs/cyrus-sasl )
-	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	ssl? (
-		!libressl? ( dev-libs/openssl:0= )
-		libressl? ( dev-libs/libressl:0= )
-	)
-	sssd? ( sys-auth/sssd[sudo] )
-"
-RDEPEND="
-	${DEPEND}
-	>=app-misc/editor-wrapper-3
-	virtual/editor
-	ldap? ( dev-lang/perl )
-	pam? ( sys-auth/pambase )
-	selinux? ( sec-policy/selinux-sudo )
-	sendmail? ( virtual/mta )
-"
-BDEPEND="
-	sys-devel/bison
-	virtual/pkgconfig
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
-	pam? ( !skey )
-	skey? ( !pam )
-"
-
-REQUIRED_USE="?? ( gcrypt ssl )"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
-	default
-	elibtoolize
-}
-
-set_secure_path() {
-	# FIXME: secure_path is a compile time setting. using PATH or
-	# ROOTPATH is not perfect, env-update may invalidate this, but until it
-	# is available as a sudoers setting this will have to do.
-	einfo "Setting secure_path ..."
-
-	# first extract the default ROOTPATH from build env
-	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
-		echo "${ROOTPATH}")
-		case "${SECURE_PATH}" in
-			*/usr/sbin*) ;;
-			*) SECURE_PATH=$(unset PATH;
-				. "${EPREFIX}"/etc/profile.env; echo "${PATH}")
-				;;
-		esac
-	if [[ -z ${SECURE_PATH} ]] ; then
-		ewarn "	Failed to detect SECURE_PATH, please report this"
-	fi
-
-	# then remove duplicate path entries
-	cleanpath() {
-		local newpath thisp IFS=:
-		for thisp in $1 ; do
-			if [[ :${newpath}: != *:${thisp}:* ]] ; then
-				newpath+=:${thisp}
-			else
-				einfo "   Duplicate entry ${thisp} removed..."
-			fi
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
-	# finally, strip gcc paths #136027
-	rmpath() {
-		local e newpath thisp IFS=:
-		for thisp in ${SECURE_PATH} ; do
-			for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
-			newpath+=:${thisp}
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
-	einfo "... done"
-}
-
-src_configure() {
-	local SECURE_PATH
-	set_secure_path
-
-	# audit: somebody got to explain me how I can test this before I
-	# enable it.. - Diego
-	# plugindir: autoconf code is crappy and does not delay evaluation
-	# until `make` time, so we have to use a full path here rather than
-	# basing off other values.
-	myeconfargs=(
-		# requires some python eclass
-		--disable-python
-		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
-		--enable-zlib=system
-		--with-editor="${EPREFIX}"/usr/libexec/editor
-		--with-env-editor
-		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
-		--with-rundir="${EPREFIX}"/run/sudo
-		--with-vardir="${EPREFIX}"/var/db/sudo
-		--without-linux-audit
-		--without-opie
-		$(use_enable gcrypt)
-		$(use_enable nls)
-		$(use_enable sasl)
-		$(use_enable ssl openssl)
-		$(use_with ldap)
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
-		$(use_with offensive insults)
-		$(use_with offensive all-insults)
-		$(use_with pam)
-		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
-		$(use_with selinux)
-		$(use_with sendmail)
-		$(use_with skey)
-		$(use_with sssd)
-	)
-
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-
-	if use ldap ; then
-		dodoc README.LDAP
-
-		cat <<-EOF > "${T}"/ldap.conf.sudo
-		# See ldap.conf(5) and README.LDAP for details
-		# This file should only be readable by root
-
-		# supported directives: host, port, ssl, ldap_version
-		# uri, binddn, bindpw, sudoers_base, sudoers_debug
-		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
-		EOF
-
-		if use sasl ; then
-			cat <<-EOF >> "${T}"/ldap.conf.sudo
-
-			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
-			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
-			EOF
-		fi
-
-		insinto /etc
-		doins "${T}"/ldap.conf.sudo
-		fperms 0440 /etc/ldap.conf.sudo
-
-		insinto /etc/openldap/schema
-		newins doc/schema.OpenLDAP sudo.schema
-	fi
-
-	pamd_mimic system-auth sudo auth account session
-	pamd_mimic system-auth sudo-i auth account session
-
-	keepdir /var/db/sudo/lectured
-	fperms 0700 /var/db/sudo/lectured
-	fperms 0711 /var/db/sudo #652958
-
-	# Don't install into /run as that is a tmpfs most of the time
-	# (bug #504854)
-	rm -rf "${ED}"/run || die
-
-	find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
-	tmpfiles_process sudo.conf
-
-	#652958
-	local sudo_db="${EROOT}/var/db/sudo"
-	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
-		chmod 711 "${sudo_db}" || die
-	fi
-
-	if use ldap ; then
-		ewarn
-		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
-		ewarn
-		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
-			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in /etc/nsswitch.conf."
-			ewarn
-			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
-			ewarn "  sudoers: ldap files"
-			ewarn
-		fi
-	fi
-	if use prefix ; then
-		ewarn
-		ewarn "To use sudo, you need to change file ownership and permissions"
-		ewarn "with root privileges, as follows:"
-		ewarn
-		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
-		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
-		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
-		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
-		ewarn
-	fi
-
-	elog "To use the -A (askpass) option, you need to install a compatible"
-	elog "password program from the following list. Starred packages will"
-	elog "automatically register for the use with sudo (but will not force"
-	elog "the -A option):"
-	elog ""
-	elog " [*] net-misc/ssh-askpass-fullscreen"
-	elog "     net-misc/x11-ssh-askpass"
-	elog ""
-	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
-	elog "variable to the program you want to use."
-}


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2020-12-01 10:37 Lars Wendler
  0 siblings, 0 replies; 9+ messages in thread
From: Lars Wendler @ 2020-12-01 10:37 UTC (permalink / raw
  To: gentoo-commits

commit:     9ba5fba4c49a57b06edf98a78f72fccf0a84aafa
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Tue Dec  1 10:36:59 2020 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Tue Dec  1 10:37:47 2020 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ba5fba4

app-admin/sudo: Fixed build with USE="-sendmail"

Reported-by: matoro <matoro <AT> airmail.cc>
Closes: https://bugs.gentoo.org/757819
Package-Manager: Portage-3.0.11, Repoman-3.0.2
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 .../sudo-1.9.4-without-sendmail_build_fix.patch    | 45 ++++++++++++++++++++++
 app-admin/sudo/sudo-1.9.4.ebuild                   |  4 ++
 2 files changed, 49 insertions(+)

diff --git a/app-admin/sudo/files/sudo-1.9.4-without-sendmail_build_fix.patch b/app-admin/sudo/files/sudo-1.9.4-without-sendmail_build_fix.patch
new file mode 100644
index 00000000000..f40bfe445e0
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.4-without-sendmail_build_fix.patch
@@ -0,0 +1,45 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1606767492 25200
+# Node ID 41db1aad85bbce444b511bcb28b9628a0a22fcd9
+# Parent  96a5cfe3c66b6ee84d7f7b6fb26d932f45a44b76
+Fix build when configured using --without-sendmail
+Bug #947
+
+diff -r 96a5cfe3c66b -r 41db1aad85bb lib/eventlog/eventlog.c
+--- a/lib/eventlog/eventlog.c	Sun Nov 29 15:11:34 2020 -0700
++++ b/lib/eventlog/eventlog.c	Mon Nov 30 13:18:12 2020 -0700
+@@ -78,7 +78,7 @@
+ static FILE *eventlog_stub_open_log(int type, const char *logfile);
+ static void eventlog_stub_close_log(int type, FILE *fp);
+ 
+-/* Eventlog config settings */
++/* Eventlog config settings (default values). */
+ static struct eventlog_config evl_conf = {
+     EVLOG_NONE,			/* type */
+     EVLOG_SUDO,			/* format */
+@@ -91,7 +91,11 @@
+     false,			/* omit_hostname */
+     _PATH_SUDO_LOGFILE,		/* logpath */
+     "%h %e %T",			/* time_fmt */
++#ifdef _PATH_SUDO_SENDMAIL
+     _PATH_SUDO_SENDMAIL,	/* mailerpath */
++#else
++    NULL,			/* mailerpath (disabled) */
++#endif
+     "-t",			/* mailerflags */
+     NULL,			/* mailfrom */
+     MAILTO,			/* mailto */
+@@ -1436,8 +1440,10 @@
+ 	evl_conf.logpath = _PATH_SUDO_LOGFILE;
+     if (evl_conf.time_fmt == NULL)
+ 	evl_conf.time_fmt = "%h %e %T";
++#ifdef _PATH_SUDO_SENDMAIL
+     if (evl_conf.mailerpath == NULL)
+ 	evl_conf.mailerpath = _PATH_SUDO_SENDMAIL;
++#endif
+     if (evl_conf.mailerflags == NULL)
+ 	evl_conf.mailerflags = "-t";
+     if (evl_conf.mailto == NULL)
+

diff --git a/app-admin/sudo/sudo-1.9.4.ebuild b/app-admin/sudo/sudo-1.9.4.ebuild
index 84770ae1b43..74f99d722ac 100644
--- a/app-admin/sudo/sudo-1.9.4.ebuild
+++ b/app-admin/sudo/sudo-1.9.4.ebuild
@@ -74,6 +74,10 @@ REQUIRED_USE="
 
 MAKEOPTS+=" SAMPLES="
 
+PATCHES=(
+	"${FILESDIR}/${P}-without-sendmail_build_fix.patch" #757819
+)
+
 src_prepare() {
 	default
 	elibtoolize


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2021-01-11 15:59 Lars Wendler
  0 siblings, 0 replies; 9+ messages in thread
From: Lars Wendler @ 2021-01-11 15:59 UTC (permalink / raw
  To: gentoo-commits

commit:     858bbc1eabd1e5b3008d51344ec99f0aabf6fe86
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Mon Jan 11 15:59:09 2021 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Mon Jan 11 15:59:48 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=858bbc1e

app-admin/sudo: Removed old

Package-Manager: Portage-3.0.13, Repoman-3.0.2
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 app-admin/sudo/Manifest                            |   1 -
 .../sudo-1.9.4-without-sendmail_build_fix.patch    |  45 ----
 app-admin/sudo/sudo-1.9.4_p1.ebuild                | 261 ---------------------
 3 files changed, 307 deletions(-)

diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index efb03549f69..8fdc2d16a64 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,4 +1,3 @@
 DIST sudo-1.9.3p1.tar.gz 3958071 BLAKE2B b681c120faa5dc7f25e27c1be423d68cea70f63dcdfea2183fd386a34dec0376555453399d3f8886c66c6507343648d40b59a058710432154061b210df2a704c SHA512 3ad13fd03e5b371fd6bf7909731ffc11431d2182a744b654f7e5d4b810e47955d49bc78f551afe13ec56acbce694139c33a15bc022cea41b17af5496b8b7f89f
-DIST sudo-1.9.4p1.tar.gz 3993946 BLAKE2B 171af5befe05e393846886077d0c210664ff86191ae1a093148d85ca80d4a8c6cd8c41ef91451207831f574267d32d4c621e47ecfa1d3b37ee8c498af6729369 SHA512 5d247c9ad68cd2c3ea504dc0a49db041f68c1575775b4bb3a5fb62abadc23295a42658d33430d6391152c7b44f66d9f165f77a91abb355edc2d2d8787d41cd91
 DIST sudo-1.9.4p2.tar.gz 3994184 BLAKE2B 110562792fa3d6f3f30fb0f07eefca975f062d41743fb84a34c27bf4c72296aa5f581de1f74895deedd6b47cb235399c52b9d3d818d274c6cdc61c741a0a287e SHA512 5258531d3dca0e812df5f4f8f26665f643c036d42534e3b98f5dd463624e9df0bba2a92c15da0c9958bda7e68f6f10b7b34875792ac9c205d1e70a12bc4f98a4
 DIST sudo-1.9.5.tar.gz 4008123 BLAKE2B 3b86dbdbf5ee421d0af33602eeefc4553c005ba7c85986f8fb56dcde6af20e0ea7942b0f2e9de8b41c5a0158b97317da42593d4d7c7f39ffa265cc11f3ae0232 SHA512 7044bbe83194171f0514b9d4809be037c01d8e1daacf4444165019c19346c4bc89f20e679b4dd6d25a7de5edfcc1ba710ae0a02b49fdbe8b46d0f1fc7ce1ab47

diff --git a/app-admin/sudo/files/sudo-1.9.4-without-sendmail_build_fix.patch b/app-admin/sudo/files/sudo-1.9.4-without-sendmail_build_fix.patch
deleted file mode 100644
index f40bfe445e0..00000000000
--- a/app-admin/sudo/files/sudo-1.9.4-without-sendmail_build_fix.patch
+++ /dev/null
@@ -1,45 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@sudo.ws>
-# Date 1606767492 25200
-# Node ID 41db1aad85bbce444b511bcb28b9628a0a22fcd9
-# Parent  96a5cfe3c66b6ee84d7f7b6fb26d932f45a44b76
-Fix build when configured using --without-sendmail
-Bug #947
-
-diff -r 96a5cfe3c66b -r 41db1aad85bb lib/eventlog/eventlog.c
---- a/lib/eventlog/eventlog.c	Sun Nov 29 15:11:34 2020 -0700
-+++ b/lib/eventlog/eventlog.c	Mon Nov 30 13:18:12 2020 -0700
-@@ -78,7 +78,7 @@
- static FILE *eventlog_stub_open_log(int type, const char *logfile);
- static void eventlog_stub_close_log(int type, FILE *fp);
- 
--/* Eventlog config settings */
-+/* Eventlog config settings (default values). */
- static struct eventlog_config evl_conf = {
-     EVLOG_NONE,			/* type */
-     EVLOG_SUDO,			/* format */
-@@ -91,7 +91,11 @@
-     false,			/* omit_hostname */
-     _PATH_SUDO_LOGFILE,		/* logpath */
-     "%h %e %T",			/* time_fmt */
-+#ifdef _PATH_SUDO_SENDMAIL
-     _PATH_SUDO_SENDMAIL,	/* mailerpath */
-+#else
-+    NULL,			/* mailerpath (disabled) */
-+#endif
-     "-t",			/* mailerflags */
-     NULL,			/* mailfrom */
-     MAILTO,			/* mailto */
-@@ -1436,8 +1440,10 @@
- 	evl_conf.logpath = _PATH_SUDO_LOGFILE;
-     if (evl_conf.time_fmt == NULL)
- 	evl_conf.time_fmt = "%h %e %T";
-+#ifdef _PATH_SUDO_SENDMAIL
-     if (evl_conf.mailerpath == NULL)
- 	evl_conf.mailerpath = _PATH_SUDO_SENDMAIL;
-+#endif
-     if (evl_conf.mailerflags == NULL)
- 	evl_conf.mailerflags = "-t";
-     if (evl_conf.mailto == NULL)
-

diff --git a/app-admin/sudo/sudo-1.9.4_p1.ebuild b/app-admin/sudo/sudo-1.9.4_p1.ebuild
deleted file mode 100644
index 84770ae1b43..00000000000
--- a/app-admin/sudo/sudo-1.9.4_p1.ebuild
+++ /dev/null
@@ -1,261 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool systemd tmpfiles
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
-	inherit mercurial
-	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
-	uri_prefix=
-	case ${P} in
-		*_beta*|*_rc*) uri_prefix=beta/ ;;
-	esac
-
-	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
-		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
-	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris"
-	fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
-	sys-libs/zlib:=
-	gcrypt? ( dev-libs/libgcrypt:= )
-	ldap? (
-		>=net-nds/openldap-2.1.30-r1
-		sasl? (
-			dev-libs/cyrus-sasl
-			net-nds/openldap[sasl]
-		)
-	)
-	pam? ( sys-libs/pam )
-	sasl? ( dev-libs/cyrus-sasl )
-	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	ssl? (
-		!libressl? ( dev-libs/openssl:0= )
-		libressl? ( dev-libs/libressl:0= )
-	)
-	sssd? ( sys-auth/sssd[sudo] )
-"
-RDEPEND="
-	${DEPEND}
-	>=app-misc/editor-wrapper-3
-	virtual/editor
-	ldap? ( dev-lang/perl )
-	pam? ( sys-auth/pambase )
-	selinux? ( sec-policy/selinux-sudo )
-	sendmail? ( virtual/mta )
-"
-BDEPEND="
-	sys-devel/bison
-	virtual/pkgconfig
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
-	?? ( pam skey )
-	?? ( gcrypt ssl )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
-	default
-	elibtoolize
-}
-
-set_secure_path() {
-	# FIXME: secure_path is a compile time setting. using PATH or
-	# ROOTPATH is not perfect, env-update may invalidate this, but until it
-	# is available as a sudoers setting this will have to do.
-	einfo "Setting secure_path ..."
-
-	# first extract the default ROOTPATH from build env
-	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
-		echo "${ROOTPATH}")
-		case "${SECURE_PATH}" in
-			*/usr/sbin*) ;;
-			*) SECURE_PATH=$(unset PATH;
-				. "${EPREFIX}"/etc/profile.env; echo "${PATH}")
-				;;
-		esac
-	if [[ -z ${SECURE_PATH} ]] ; then
-		ewarn "	Failed to detect SECURE_PATH, please report this"
-	fi
-
-	# then remove duplicate path entries
-	cleanpath() {
-		local newpath thisp IFS=:
-		for thisp in $1 ; do
-			if [[ :${newpath}: != *:${thisp}:* ]] ; then
-				newpath+=:${thisp}
-			else
-				einfo "   Duplicate entry ${thisp} removed..."
-			fi
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
-	# finally, strip gcc paths #136027
-	rmpath() {
-		local e newpath thisp IFS=:
-		for thisp in ${SECURE_PATH} ; do
-			for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
-			newpath+=:${thisp}
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
-	einfo "... done"
-}
-
-src_configure() {
-	local SECURE_PATH
-	set_secure_path
-
-	# audit: somebody got to explain me how I can test this before I
-	# enable it.. - Diego
-	# plugindir: autoconf code is crappy and does not delay evaluation
-	# until `make` time, so we have to use a full path here rather than
-	# basing off other values.
-	myeconfargs=(
-		# requires some python eclass
-		--disable-python
-		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
-		--enable-zlib=system
-		--with-editor="${EPREFIX}"/usr/libexec/editor
-		--with-env-editor
-		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
-		--with-rundir="${EPREFIX}"/run/sudo
-		--with-vardir="${EPREFIX}"/var/db/sudo
-		--without-linux-audit
-		--without-opie
-		$(use_enable gcrypt)
-		$(use_enable nls)
-		$(use_enable sasl)
-		$(use_enable ssl openssl)
-		$(use_with ldap)
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
-		$(use_with offensive insults)
-		$(use_with offensive all-insults)
-		$(use_with pam)
-		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
-		$(use_with selinux)
-		$(use_with sendmail)
-		$(use_with skey)
-		$(use_with sssd)
-	)
-
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-
-	if use ldap ; then
-		dodoc README.LDAP
-
-		cat <<-EOF > "${T}"/ldap.conf.sudo
-		# See ldap.conf(5) and README.LDAP for details
-		# This file should only be readable by root
-
-		# supported directives: host, port, ssl, ldap_version
-		# uri, binddn, bindpw, sudoers_base, sudoers_debug
-		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
-		EOF
-
-		if use sasl ; then
-			cat <<-EOF >> "${T}"/ldap.conf.sudo
-
-			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
-			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
-			EOF
-		fi
-
-		insinto /etc
-		doins "${T}"/ldap.conf.sudo
-		fperms 0440 /etc/ldap.conf.sudo
-
-		insinto /etc/openldap/schema
-		newins doc/schema.OpenLDAP sudo.schema
-	fi
-
-	pamd_mimic system-auth sudo auth account session
-	pamd_mimic system-auth sudo-i auth account session
-
-	keepdir /var/db/sudo/lectured
-	fperms 0700 /var/db/sudo/lectured
-	fperms 0711 /var/db/sudo #652958
-
-	# Don't install into /run as that is a tmpfs most of the time
-	# (bug #504854)
-	rm -rf "${ED}"/run || die
-
-	find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
-	tmpfiles_process sudo.conf
-
-	#652958
-	local sudo_db="${EROOT}/var/db/sudo"
-	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
-		chmod 711 "${sudo_db}" || die
-	fi
-
-	if use ldap ; then
-		ewarn
-		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
-		ewarn
-		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
-			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in /etc/nsswitch.conf."
-			ewarn
-			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
-			ewarn "  sudoers: ldap files"
-			ewarn
-		fi
-	fi
-	if use prefix ; then
-		ewarn
-		ewarn "To use sudo, you need to change file ownership and permissions"
-		ewarn "with root privileges, as follows:"
-		ewarn
-		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
-		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
-		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
-		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
-		ewarn
-	fi
-
-	elog "To use the -A (askpass) option, you need to install a compatible"
-	elog "password program from the following list. Starred packages will"
-	elog "automatically register for the use with sudo (but will not force"
-	elog "the -A option):"
-	elog ""
-	elog " [*] net-misc/ssh-askpass-fullscreen"
-	elog "     net-misc/x11-ssh-askpass"
-	elog ""
-	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
-	elog "variable to the program you want to use."
-}


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2021-01-30 10:19 Lars Wendler
  0 siblings, 0 replies; 9+ messages in thread
From: Lars Wendler @ 2021-01-30 10:19 UTC (permalink / raw
  To: gentoo-commits

commit:     e3dea34c197901b5d40aa0683ee9c0473ab62b9c
Author:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
AuthorDate: Sat Jan 30 10:18:50 2021 +0000
Commit:     Lars Wendler <polynomial-c <AT> gentoo <DOT> org>
CommitDate: Sat Jan 30 10:18:50 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e3dea34c

app-admin/sudo: Revbump to fix NO_ROOT_MAILER issue

Removed old. Bumped straight to stable.

Bug: https://bugs.gentoo.org/767946
Package-Manager: Portage-3.0.14, Repoman-3.0.2
Signed-off-by: Lars Wendler <polynomial-c <AT> gentoo.org>

 .../files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch   | 51 ++++++++++++++++++++++
 ...udo-1.9.5_p2.ebuild => sudo-1.9.5_p2-r1.ebuild} |  4 ++
 2 files changed, 55 insertions(+)

diff --git a/app-admin/sudo/files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch b/app-admin/sudo/files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch
new file mode 100644
index 00000000000..7cae441cbcf
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch
@@ -0,0 +1,51 @@
+
+# HG changeset patch
+# User Todd C. Miller <Todd.Miller@sudo.ws>
+# Date 1611924154 25200
+# Node ID e0d4f196ba027604154f79ddd03a0b90f90c9607
+# Parent  cd1c7615e861083e9e9b61d0e0070354e227ea5c
+Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4.
+init_eventlog_config() is called immediately after initializing the
+Defaults settings, which is before struct sudo_user is setup.  This
+adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined
+after the invoking user is determined.  Reported by Roman Fiedler.
+
+diff -r cd1c7615e861 -r e0d4f196ba02 plugins/sudoers/logging.c
+--- a/plugins/sudoers/logging.c	Tue Dec 08 12:35:21 2020 -0700
++++ b/plugins/sudoers/logging.c	Fri Jan 29 05:42:34 2021 -0700
+@@ -786,11 +786,6 @@
+ init_eventlog_config(void)
+ {
+     int logtype = 0;
+-#ifdef NO_ROOT_MAILER
+-    uid_t mailuid = user_uid;
+-#else
+-    uid_t mailuid = ROOT_UID;
+-#endif
+     debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
+ 
+     if (def_syslog)
+@@ -805,7 +800,7 @@
+     eventlog_set_syslog_alertpri(def_syslog_badpri);
+     eventlog_set_syslog_maxlen(def_syslog_maxlen);
+     eventlog_set_file_maxlen(def_loglinelen);
+-    eventlog_set_mailuid(mailuid);
++    eventlog_set_mailuid(ROOT_UID);
+     eventlog_set_omit_hostname(!def_log_host);
+     eventlog_set_logpath(def_logfile);
+     eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
+diff -r cd1c7615e861 -r e0d4f196ba02 plugins/sudoers/policy.c
+--- a/plugins/sudoers/policy.c	Tue Dec 08 12:35:21 2020 -0700
++++ b/plugins/sudoers/policy.c	Fri Jan 29 05:42:34 2021 -0700
+@@ -518,6 +518,10 @@
+     /* Some systems support fexecve() which we use for digest matches. */
+     cmnd_fd = -1;
+ 
++#ifdef NO_ROOT_MAILER
++    eventlog_set_mailuid(user_uid);
++#endif
++
+     /* Dump settings and user info (XXX - plugin args) */
+     for (cur = info->settings; *cur != NULL; cur++)
+ 	sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur);
+

diff --git a/app-admin/sudo/sudo-1.9.5_p2.ebuild b/app-admin/sudo/sudo-1.9.5_p2-r1.ebuild
similarity index 99%
rename from app-admin/sudo/sudo-1.9.5_p2.ebuild
rename to app-admin/sudo/sudo-1.9.5_p2-r1.ebuild
index 183dd7b6ece..af0d7b0c4bd 100644
--- a/app-admin/sudo/sudo-1.9.5_p2.ebuild
+++ b/app-admin/sudo/sudo-1.9.5_p2-r1.ebuild
@@ -74,6 +74,10 @@ REQUIRED_USE="
 
 MAKEOPTS+=" SAMPLES="
 
+PATCHES=(
+	"${FILESDIR}/${P}-NO_ROOT_MAILER_fix.patch" #767946
+)
+
 src_prepare() {
 	default
 	elibtoolize


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2021-05-15 22:15 David Seifert
  0 siblings, 0 replies; 9+ messages in thread
From: David Seifert @ 2021-05-15 22:15 UTC (permalink / raw
  To: gentoo-commits

commit:     3ee41e51ea61830f476902cec874a01cb70d384e
Author:     David Seifert <soap <AT> gentoo <DOT> org>
AuthorDate: Sat May 15 22:14:35 2021 +0000
Commit:     David Seifert <soap <AT> gentoo <DOT> org>
CommitDate: Sat May 15 22:14:35 2021 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3ee41e51

app-admin/sudo: drop 1.9.5_p2-r1

Signed-off-by: David Seifert <soap <AT> gentoo.org>

 app-admin/sudo/Manifest                            |   1 -
 .../files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch   |  51 ----
 app-admin/sudo/sudo-1.9.5_p2-r1.ebuild             | 264 ---------------------
 3 files changed, 316 deletions(-)

diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index ed865c663ca..78817b15d37 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,3 +1,2 @@
-DIST sudo-1.9.5p2.tar.gz 4012277 BLAKE2B 41913887463e4f775564af8d614fb5ed762200aa777dc789ec333842d4f432323474fc952a531fe929b33607cdfbcd18d7fe7470a15d67139deaf855841ed11f SHA512 f0fe914963c31a6f8ab6c86847ff6cdd125bd5a839b27f46dcae03963f4fc413b3d4cca54c1979feb825c8479b44c7df0642c07345c941eecf6f9f1e03ea0e27
 DIST sudo-1.9.6p1.tar.gz 4119888 BLAKE2B 02bdb551c46cff11ac56e64937c64e6a29ccd8e0af34ea2f6b33c223bee8f7ad958d0fc3d7ef8ef12bf5bc82565769b923ff112a3f3d6bf6999fa4f6ea55e38e SHA512 632dfe72f04ce9a7a5a7236fcd5c09ce4535e695ced49d24dd848e3a7b1bea7380df44188b9e475af4271069539b5a5816948a98fbb0649ebebaba8b4c4b7745
 DIST sudo-1.9.7.tar.gz 4194242 BLAKE2B 5addf9fc0a8fea8ada89f240f827dcec973277f120ad98f7942f8e46e2869c676eaca044b9c46e43dab120efea3413c71e19c30ef5b0d9cc4d9ad8f0413dbffe SHA512 53e9f18f6c0acd4f80c0cd695cd23781310e9edd305d1b3ea19653efa3fd7faba149daef0ba4953615b140a8816bc980c9bd8d28545dd8db98075abf11b63e61

diff --git a/app-admin/sudo/files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch b/app-admin/sudo/files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch
deleted file mode 100644
index 7cae441cbcf..00000000000
--- a/app-admin/sudo/files/sudo-1.9.5_p2-NO_ROOT_MAILER_fix.patch
+++ /dev/null
@@ -1,51 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@sudo.ws>
-# Date 1611924154 25200
-# Node ID e0d4f196ba027604154f79ddd03a0b90f90c9607
-# Parent  cd1c7615e861083e9e9b61d0e0070354e227ea5c
-Fix NO_ROOT_MAILER, broken by the eventlog refactor in sudo 1.9.4.
-init_eventlog_config() is called immediately after initializing the
-Defaults settings, which is before struct sudo_user is setup.  This
-adds a call to eventlog_set_mailuid() if NO_ROOT_MAILER is defined
-after the invoking user is determined.  Reported by Roman Fiedler.
-
-diff -r cd1c7615e861 -r e0d4f196ba02 plugins/sudoers/logging.c
---- a/plugins/sudoers/logging.c	Tue Dec 08 12:35:21 2020 -0700
-+++ b/plugins/sudoers/logging.c	Fri Jan 29 05:42:34 2021 -0700
-@@ -786,11 +786,6 @@
- init_eventlog_config(void)
- {
-     int logtype = 0;
--#ifdef NO_ROOT_MAILER
--    uid_t mailuid = user_uid;
--#else
--    uid_t mailuid = ROOT_UID;
--#endif
-     debug_decl(init_eventlog_config, SUDOERS_DEBUG_LOGGING);
- 
-     if (def_syslog)
-@@ -805,7 +800,7 @@
-     eventlog_set_syslog_alertpri(def_syslog_badpri);
-     eventlog_set_syslog_maxlen(def_syslog_maxlen);
-     eventlog_set_file_maxlen(def_loglinelen);
--    eventlog_set_mailuid(mailuid);
-+    eventlog_set_mailuid(ROOT_UID);
-     eventlog_set_omit_hostname(!def_log_host);
-     eventlog_set_logpath(def_logfile);
-     eventlog_set_time_fmt(def_log_year ? "%h %e %T %Y" : "%h %e %T");
-diff -r cd1c7615e861 -r e0d4f196ba02 plugins/sudoers/policy.c
---- a/plugins/sudoers/policy.c	Tue Dec 08 12:35:21 2020 -0700
-+++ b/plugins/sudoers/policy.c	Fri Jan 29 05:42:34 2021 -0700
-@@ -518,6 +518,10 @@
-     /* Some systems support fexecve() which we use for digest matches. */
-     cmnd_fd = -1;
- 
-+#ifdef NO_ROOT_MAILER
-+    eventlog_set_mailuid(user_uid);
-+#endif
-+
-     /* Dump settings and user info (XXX - plugin args) */
-     for (cur = info->settings; *cur != NULL; cur++)
- 	sudo_debug_printf(SUDO_DEBUG_INFO, "settings: %s", *cur);
-

diff --git a/app-admin/sudo/sudo-1.9.5_p2-r1.ebuild b/app-admin/sudo/sudo-1.9.5_p2-r1.ebuild
deleted file mode 100644
index 8a80098cbc6..00000000000
--- a/app-admin/sudo/sudo-1.9.5_p2-r1.ebuild
+++ /dev/null
@@ -1,264 +0,0 @@
-# Copyright 1999-2021 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool systemd tmpfiles toolchain-funcs
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
-	inherit mercurial
-	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
-	uri_prefix=
-	case ${P} in
-		*_beta*|*_rc*) uri_prefix=beta/ ;;
-	esac
-
-	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
-		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
-	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 ~s390 sparc x86 ~sparc-solaris"
-	fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
-	sys-libs/zlib:=
-	gcrypt? ( dev-libs/libgcrypt:= )
-	ldap? (
-		>=net-nds/openldap-2.1.30-r1
-		sasl? (
-			dev-libs/cyrus-sasl
-			net-nds/openldap[sasl]
-		)
-	)
-	pam? ( sys-libs/pam )
-	sasl? ( dev-libs/cyrus-sasl )
-	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	ssl? ( dev-libs/openssl:0= )
-	sssd? ( sys-auth/sssd[sudo] )
-"
-RDEPEND="
-	${DEPEND}
-	>=app-misc/editor-wrapper-3
-	virtual/editor
-	ldap? ( dev-lang/perl )
-	pam? ( sys-auth/pambase )
-	selinux? ( sec-policy/selinux-sudo )
-	sendmail? ( virtual/mta )
-"
-BDEPEND="
-	sys-devel/bison
-	virtual/pkgconfig
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
-	?? ( pam skey )
-	?? ( gcrypt ssl )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-PATCHES=(
-	"${FILESDIR}/${P}-NO_ROOT_MAILER_fix.patch" #767946
-)
-
-src_prepare() {
-	default
-	elibtoolize
-}
-
-set_secure_path() {
-	# FIXME: secure_path is a compile time setting. using PATH or
-	# ROOTPATH is not perfect, env-update may invalidate this, but until it
-	# is available as a sudoers setting this will have to do.
-	einfo "Setting secure_path ..."
-
-	# first extract the default ROOTPATH from build env
-	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
-		echo "${ROOTPATH}")
-		case "${SECURE_PATH}" in
-			*/usr/sbin*) ;;
-			*) SECURE_PATH=$(unset PATH;
-				. "${EPREFIX}"/etc/profile.env; echo "${PATH}")
-				;;
-		esac
-	if [[ -z ${SECURE_PATH} ]] ; then
-		ewarn "	Failed to detect SECURE_PATH, please report this"
-	fi
-
-	# then remove duplicate path entries
-	cleanpath() {
-		local newpath thisp IFS=:
-		for thisp in $1 ; do
-			if [[ :${newpath}: != *:${thisp}:* ]] ; then
-				newpath+=:${thisp}
-			else
-				einfo "   Duplicate entry ${thisp} removed..."
-			fi
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
-	# finally, strip gcc paths #136027
-	rmpath() {
-		local e newpath thisp IFS=:
-		for thisp in ${SECURE_PATH} ; do
-			for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
-			newpath+=:${thisp}
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
-	einfo "... done"
-}
-
-src_configure() {
-	local SECURE_PATH
-	set_secure_path
-	tc-export PKG_CONFIG #767712
-
-	# audit: somebody got to explain me how I can test this before I
-	# enable it.. - Diego
-	# plugindir: autoconf code is crappy and does not delay evaluation
-	# until `make` time, so we have to use a full path here rather than
-	# basing off other values.
-	myeconfargs=(
-		# requires some python eclass
-		--disable-python
-		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
-		--enable-zlib=system
-		--with-editor="${EPREFIX}"/usr/libexec/editor
-		--with-env-editor
-		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
-		--with-rundir="${EPREFIX}"/run/sudo
-		--with-vardir="${EPREFIX}"/var/db/sudo
-		--without-linux-audit
-		--without-opie
-		$(use_enable gcrypt)
-		$(use_enable nls)
-		$(use_enable sasl)
-		$(use_enable ssl openssl)
-		$(use_with ldap)
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
-		$(use_with offensive insults)
-		$(use_with offensive all-insults)
-		$(use_with pam)
-		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
-		$(use_with selinux)
-		$(use_with sendmail)
-		$(use_with skey)
-		$(use_with sssd)
-	)
-
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-
-	if use ldap ; then
-		dodoc README.LDAP
-
-		cat <<-EOF > "${T}"/ldap.conf.sudo
-		# See ldap.conf(5) and README.LDAP for details
-		# This file should only be readable by root
-
-		# supported directives: host, port, ssl, ldap_version
-		# uri, binddn, bindpw, sudoers_base, sudoers_debug
-		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
-		EOF
-
-		if use sasl ; then
-			cat <<-EOF >> "${T}"/ldap.conf.sudo
-
-			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
-			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
-			EOF
-		fi
-
-		insinto /etc
-		doins "${T}"/ldap.conf.sudo
-		fperms 0440 /etc/ldap.conf.sudo
-
-		insinto /etc/openldap/schema
-		newins doc/schema.OpenLDAP sudo.schema
-	fi
-	if use pam; then
-		pamd_mimic system-auth sudo auth account session
-		pamd_mimic system-auth sudo-i auth account session
-	fi
-
-	keepdir /var/db/sudo/lectured
-	fperms 0700 /var/db/sudo/lectured
-	fperms 0711 /var/db/sudo #652958
-
-	# Don't install into /run as that is a tmpfs most of the time
-	# (bug #504854)
-	rm -rf "${ED}"/run || die
-
-	find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
-	tmpfiles_process sudo.conf
-
-	#652958
-	local sudo_db="${EROOT}/var/db/sudo"
-	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
-		chmod 711 "${sudo_db}" || die
-	fi
-
-	if use ldap ; then
-		ewarn
-		ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
-		ewarn
-		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
-			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in /etc/nsswitch.conf."
-			ewarn
-			ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
-			ewarn "  sudoers: ldap files"
-			ewarn
-		fi
-	fi
-	if use prefix ; then
-		ewarn
-		ewarn "To use sudo, you need to change file ownership and permissions"
-		ewarn "with root privileges, as follows:"
-		ewarn
-		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
-		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
-		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
-		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
-		ewarn
-	fi
-
-	elog "To use the -A (askpass) option, you need to install a compatible"
-	elog "password program from the following list. Starred packages will"
-	elog "automatically register for the use with sudo (but will not force"
-	elog "the -A option):"
-	elog ""
-	elog " [*] net-misc/ssh-askpass-fullscreen"
-	elog "     net-misc/x11-ssh-askpass"
-	elog ""
-	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
-	elog "variable to the program you want to use."
-}


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2022-11-05  2:07 Sam James
  0 siblings, 0 replies; 9+ messages in thread
From: Sam James @ 2022-11-05  2:07 UTC (permalink / raw
  To: gentoo-commits

commit:     5eca952121b4f64dc7c40f81338384bf299ee771
Author:     John Helmert III <ajak <AT> gentoo <DOT> org>
AuthorDate: Sat Nov  5 00:39:58 2022 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Sat Nov  5 02:06:35 2022 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5eca9521

app-admin/sudo: patch CVE-2022-43995

Bug: https://bugs.gentoo.org/879209
Signed-off-by: John Helmert III <ajak <AT> gentoo.org>
Closes: https://github.com/gentoo/gentoo/pull/28143
Signed-off-by: Sam James <sam <AT> gentoo.org>

 .../sudo/files/sudo-1.9.12-CVE-2022-43995.patch    |  53 ++++
 app-admin/sudo/sudo-1.9.12-r1.ebuild               | 287 +++++++++++++++++++++
 2 files changed, 340 insertions(+)

diff --git a/app-admin/sudo/files/sudo-1.9.12-CVE-2022-43995.patch b/app-admin/sudo/files/sudo-1.9.12-CVE-2022-43995.patch
new file mode 100644
index 000000000000..2601669eecfd
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.12-CVE-2022-43995.patch
@@ -0,0 +1,53 @@
+Bug: https://bugs.gentoo.org/879209
+Upstream: https://github.com/sudo-project/sudo/commit/bd209b9f16fcd1270c13db27ae3329c677d48050
+
+From bd209b9f16fcd1270c13db27ae3329c677d48050 Mon Sep 17 00:00:00 2001
+From: "Todd C. Miller" <Todd.Miller@sudo.ws>
+Date: Fri, 28 Oct 2022 07:29:55 -0600
+Subject: [PATCH] Fix CVE-2022-43995, potential heap overflow for passwords < 8
+ characters. Starting with sudo 1.8.0 the plaintext password buffer is
+ dynamically sized so it is not safe to assume that it is at least 9 bytes in
+ size. Found by Hugo Lefeuvre (University of Manchester) with ConfFuzz.
+
+---
+ plugins/sudoers/auth/passwd.c | 11 +++++------
+ 1 file changed, 5 insertions(+), 6 deletions(-)
+
+diff --git a/plugins/sudoers/auth/passwd.c b/plugins/sudoers/auth/passwd.c
+index b2046eca2..0416861e9 100644
+--- a/plugins/sudoers/auth/passwd.c
++++ b/plugins/sudoers/auth/passwd.c
+@@ -63,7 +63,7 @@ sudo_passwd_init(struct passwd *pw, sudo_auth *auth)
+ int
+ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_conv_callback *callback)
+ {
+-    char sav, *epass;
++    char des_pass[9], *epass;
+     char *pw_epasswd = auth->data;
+     size_t pw_len;
+     int matched = 0;
+@@ -75,12 +75,12 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+ 
+     /*
+      * Truncate to 8 chars if standard DES since not all crypt()'s do this.
+-     * If this turns out not to be safe we will have to use OS #ifdef's (sigh).
+      */
+-    sav = pass[8];
+     pw_len = strlen(pw_epasswd);
+-    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len))
+-	pass[8] = '\0';
++    if (pw_len == DESLEN || HAS_AGEINFO(pw_epasswd, pw_len)) {
++	strlcpy(des_pass, pass, sizeof(des_pass));
++	pass = des_pass;
++    }
+ 
+     /*
+      * Normal UN*X password check.
+@@ -88,7 +88,6 @@ sudo_passwd_verify(struct passwd *pw, char *pass, sudo_auth *auth, struct sudo_c
+      * only compare the first DESLEN characters in that case.
+      */
+     epass = (char *) crypt(pass, pw_epasswd);
+-    pass[8] = sav;
+     if (epass != NULL) {
+ 	if (HAS_AGEINFO(pw_epasswd, pw_len) && strlen(epass) == DESLEN)
+ 	    matched = !strncmp(pw_epasswd, epass, DESLEN);

diff --git a/app-admin/sudo/sudo-1.9.12-r1.ebuild b/app-admin/sudo/sudo-1.9.12-r1.ebuild
new file mode 100644
index 000000000000..04850cee909d
--- /dev/null
+++ b/app-admin/sudo/sudo-1.9.12-r1.ebuild
@@ -0,0 +1,287 @@
+# Copyright 1999-2022 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit pam libtool tmpfiles toolchain-funcs
+
+MY_P="${P/_/}"
+MY_P="${MY_P/beta/b}"
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="https://www.sudo.ws/"
+if [[ ${PV} == 9999 ]] ; then
+	inherit mercurial
+	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
+else
+	VERIFY_SIG_OPENPGP_KEY_PATH="${BROOT}"/usr/share/openpgp-keys/sudo.ws.asc
+	inherit verify-sig
+
+	uri_prefix=
+	case ${P} in
+		*_beta*|*_rc*) uri_prefix=beta/ ;;
+	esac
+
+	SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+		verify-sig? (
+			https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+			ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+		)"
+	if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
+		KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86 ~sparc-solaris"
+	fi
+
+	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-sudo )"
+fi
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="ISC BSD"
+SLOT="0"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+
+DEPEND="
+	sys-libs/zlib:=
+	virtual/libcrypt:=
+	gcrypt? ( dev-libs/libgcrypt:= )
+	ldap? (
+		>=net-nds/openldap-2.1.30-r1:=
+		sasl? (
+			dev-libs/cyrus-sasl
+			net-nds/openldap:=[sasl]
+		)
+	)
+	pam? ( sys-libs/pam )
+	sasl? ( dev-libs/cyrus-sasl )
+	selinux? ( sys-libs/libselinux )
+	skey? ( >=sys-auth/skey-1.1.5-r1 )
+	ssl? ( dev-libs/openssl:0= )
+	sssd? ( sys-auth/sssd[sudo] )
+"
+RDEPEND="
+	${DEPEND}
+	>=app-misc/editor-wrapper-3
+	virtual/editor
+	ldap? ( dev-lang/perl )
+	pam? ( sys-auth/pambase )
+	selinux? ( sec-policy/selinux-sudo )
+	sendmail? ( virtual/mta )
+"
+BDEPEND+="
+	sys-devel/bison
+	virtual/pkgconfig
+"
+
+S="${WORKDIR}/${MY_P}"
+
+REQUIRED_USE="
+	?? ( pam skey )
+	?? ( gcrypt ssl )
+"
+
+MAKEOPTS+=" SAMPLES="
+
+PATCHES=(
+	"${FILESDIR}"/${P}-mips-build.patch
+	"${FILESDIR}"/${P}-CVE-2022-43995.patch
+)
+
+src_prepare() {
+	default
+
+	elibtoolize
+}
+
+set_secure_path() {
+	# First extract the default ROOTPATH from build env
+	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+	case "${SECURE_PATH}" in
+		*/usr/sbin*)
+			;;
+		*)
+			SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+			;;
+	esac
+
+	if [[ -z ${SECURE_PATH} ]] ; then
+		ewarn "	Failed to detect SECURE_PATH, please report this"
+	fi
+
+	# Then remove duplicate path entries
+	cleanpath() {
+		local newpath thisp IFS=:
+		for thisp in $1 ; do
+			if [[ :${newpath}: != *:${thisp}:* ]] ; then
+				newpath+=:${thisp}
+			else
+				einfo "   Duplicate entry ${thisp} removed..."
+			fi
+		done
+		SECURE_PATH=${newpath#:}
+	}
+	cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+
+	# Finally, strip gcc paths, bug #136027
+	rmpath() {
+		local e newpath thisp IFS=:
+		for thisp in ${SECURE_PATH} ; do
+			for e ; do
+				[[ ${thisp} == ${e} ]] && continue 2 ;
+			done
+			newpath+=:${thisp}
+		done
+		SECURE_PATH=${newpath#:}
+	}
+	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
+}
+
+src_configure() {
+	local SECURE_PATH
+
+	set_secure_path
+
+	# bug #767712
+	tc-export PKG_CONFIG
+
+	# - audit: somebody got to explain me how I can test this before I
+	# enable it.. - Diego
+	# - plugindir: autoconf code is crappy and does not delay evaluation
+	# until `make` time, so we have to use a full path here rather than
+	# basing off other values.
+	local myeconfargs=(
+		# We set all of the relevant options by ourselves (patched
+		# into the toolchain) and setting these in the build system
+		# actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+		# (it'll downgrade to =2). So, this has no functional effect on
+		# the hardening for users. It's safe.
+		--disable-hardening
+
+		# requires some python eclass
+		--disable-python
+		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
+		--enable-zlib=system
+		--with-editor="${EPREFIX}"/usr/libexec/editor
+		--with-env-editor
+		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
+		--with-rundir="${EPREFIX}"/run/sudo
+		--with-vardir="${EPREFIX}"/var/db/sudo
+		--without-linux-audit
+		--without-opie
+		$(use_enable gcrypt)
+		$(use_enable nls)
+		$(use_enable sasl)
+		$(use_enable ssl openssl)
+		$(use_with ldap)
+		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
+		$(use_with offensive insults)
+		$(use_with offensive all-insults)
+		$(use_with pam)
+		$(use_with pam pam-login)
+		$(use_with secure-path secure-path "${SECURE_PATH}")
+		$(use_with selinux)
+		$(use_with sendmail)
+		$(use_with skey)
+		$(use_with sssd)
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+
+	if use ldap ; then
+		dodoc README.LDAP.md
+
+		cat <<-EOF > "${T}"/ldap.conf.sudo
+		# See ldap.conf(5) and README.LDAP.md for details
+		# This file should only be readable by root
+
+		# supported directives: host, port, ssl, ldap_version
+		# uri, binddn, bindpw, sudoers_base, sudoers_debug
+		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
+		EOF
+
+		if use sasl ; then
+			cat <<-EOF >> "${T}"/ldap.conf.sudo
+
+			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
+			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
+			EOF
+		fi
+
+		insinto /etc
+		doins "${T}"/ldap.conf.sudo
+		fperms 0440 /etc/ldap.conf.sudo
+
+		insinto /etc/openldap/schema
+		newins docs/schema.OpenLDAP sudo.schema
+	fi
+
+	if use pam ; then
+		pamd_mimic system-auth sudo auth account session
+		pamd_mimic system-auth sudo-i auth account session
+	fi
+
+	keepdir /var/db/sudo/lectured
+	fperms 0700 /var/db/sudo/lectured
+	# bug #652958
+	fperms 0711 /var/db/sudo
+
+	# Don't install into /run as that is a tmpfs most of the time
+	# (bug #504854)
+	rm -rf "${ED}"/run || die
+
+	# bug #697812
+	find "${ED}" -type f -name "*.la" -delete || die
+}
+
+pkg_postinst() {
+	tmpfiles_process sudo.conf
+
+	# bug #652958
+	local sudo_db="${EROOT}/var/db/sudo"
+	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
+		chmod 711 "${sudo_db}" || die
+	fi
+
+	if use ldap ; then
+		ewarn
+		ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
+		ewarn
+		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
+			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+			ewarn "configured in ${ROOT}/etc/nsswitch.conf."
+			ewarn
+			ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
+			ewarn "  sudoers: ldap files"
+			ewarn
+		fi
+	fi
+	if use prefix ; then
+		ewarn
+		ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
+		ewarn "with root privileges, as follows:"
+		ewarn
+		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
+		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
+		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
+		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
+		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
+		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
+		ewarn
+	fi
+
+	elog "To use the -A (askpass) option, you need to install a compatible"
+	elog "password program from the following list. Starred packages will"
+	elog "automatically register for the use with sudo (but will not force"
+	elog "the -A option):"
+	elog ""
+	elog " [*] net-misc/ssh-askpass-fullscreen"
+	elog "     net-misc/x11-ssh-askpass"
+	elog ""
+	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+	elog "variable to the program you want to use."
+}


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2023-12-15  5:15 Sam James
  0 siblings, 0 replies; 9+ messages in thread
From: Sam James @ 2023-12-15  5:15 UTC (permalink / raw
  To: gentoo-commits

commit:     b85bacb92d96aea87acd711df24be802981c5b8c
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Fri Dec 15 04:47:23 2023 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Fri Dec 15 04:47:23 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b85bacb9

app-admin/sudo: drop 1.9.13_p3-r1, 1.9.14_p2

Signed-off-by: Sam James <sam <AT> gentoo.org>

 app-admin/sudo/Manifest                            |   4 -
 .../files/sudo-1.9.13_p3-configure-clang16.patch   | 105 --------
 app-admin/sudo/sudo-1.9.13_p3-r1.ebuild            | 290 ---------------------
 app-admin/sudo/sudo-1.9.14_p2.ebuild               | 286 --------------------
 4 files changed, 685 deletions(-)

diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index a587ea9d2eaf..79ba81a81227 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,7 +1,3 @@
-DIST sudo-1.9.13p3.tar.gz 5100355 BLAKE2B 46218ecf4cf06d2280ccf4c257b12a6f697eda17b96a6b7aa56f6c7f22d847ec2a8036b9f615c3328d985656539c95f37a40c6c72dfa5f65786ab45a28cf353f SHA512 c0c5cd0c6308868afdad2ecf55b86fdcf1f49889b30831c9db3bc56a63dc3a07686c285c20b2500494b2a76653e2ec69196abdc583312609a5db1c81a6e4e737
-DIST sudo-1.9.13p3.tar.gz.sig 566 BLAKE2B 5b59c7178bf157b67500d972fe1b373bc86ab09345f59733cffa85700221ceec0d5be10bce4838f16e9238154c90a972570a7a933f48dbd56bc64b38dbc0043f SHA512 eebf36e86ebd03daca05838bc56d9b1fb7ea8584a83a9f0e03c5ff07e612d36472b23797c628eff1cf4301832d139de0de62ddc8b17e20f1498f769a4db1249a
-DIST sudo-1.9.14p2.tar.gz 5229966 BLAKE2B a350136731c1c6eca1317a852ce243b270df61ba275608bd0d0ec11760babdb2f9f489b818529484c15a43345fa53c96efd1aa47ab7cc0591c45928ba75c4c85 SHA512 d8ab03f6488cc5790c66941a2a8491df55a19bda6f0f8b683d4b3c22390b0ab19ebb0b02696d7c78b626975a408c34f005dc2d6b2100cf2a0efdf4cf1f504db9
-DIST sudo-1.9.14p2.tar.gz.sig 566 BLAKE2B f72469340cfbb5005540a7080410dcf72694966c6293274cc28a1167824ddafed8ab441478985564f674f8f0c48a7b738a36ea572e36ec7fafee91486d08b646 SHA512 5a3cd7fe28762ee435f52a03fda504ab820805e5cdc7462343291a579daad7d779f5dc3897d7dceb9bfce6468a08ee60fe1c517a7d18ba917291339031609383
 DIST sudo-1.9.14p3.tar.gz 5232320 BLAKE2B 702d0c5489658dfd35c5a57977431343d29e6c2d7bb44bb7a8fd9f7fc7b7094b3f3fe2348d1ab6b9aa037e2b5fd1019f127f45e99190bdfff077e94747dc17e1 SHA512 d4af836e3316c35d8b81a2c869ca199e8f2d5cb26dbd98b8ad031f29be62b154452afdf5a506ddabad21b80e5988a49f1f7c8f1ec44718ffcbd7e89ccbdef612
 DIST sudo-1.9.14p3.tar.gz.sig 566 BLAKE2B 61ea3ca0e6032ddabbfd7e5b56881f0e800b49eed0404738c1a28687160917a8ddde91378b915cb81c9576732629d398790eac31d300e536e117fa9bbf5b1f4a SHA512 e1723f589eb3b758bd7e7e0da158d21e9315976320f8d39159a97e801c9745768b42b7b16c697cdbb3917a3f3def0125acf868dc343b062834f9f0818d741608
 DIST sudo-1.9.15p2.tar.gz 5303642 BLAKE2B 002f820d6d82b3384a9206545a999765c2924b2650fd7f6331c191e3f631507064d71a042c606b4fcea0d518d38b5a24d3f44964bb09cb5774e50501abc3f524 SHA512 219fc138fb4850fff30c44a6dab767402172d545a83d31dba4a2a9ce27f8a9fe14f1f24f4e328517f2dd26e84906db5d2be388a9c82e89f5ca59740bb782a608

diff --git a/app-admin/sudo/files/sudo-1.9.13_p3-configure-clang16.patch b/app-admin/sudo/files/sudo-1.9.13_p3-configure-clang16.patch
deleted file mode 100644
index a9b9434c2b01..000000000000
--- a/app-admin/sudo/files/sudo-1.9.13_p3-configure-clang16.patch
+++ /dev/null
@@ -1,105 +0,0 @@
-ttps://www.sudo.ws/pipermail/sudo-workers/2023-April/001387.html
-https://github.com/sudo-project/sudo/commit/b83140e0f18fb27d310a4839a14f5c3febd2770b
-https://github.com/sudo-project/sudo/commit/075ee0f9dc234f9a7e680b16304809e5546965d5
-
-From b83140e0f18fb27d310a4839a14f5c3febd2770b Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Wed, 26 Apr 2023 11:10:46 -0600
-Subject: [PATCH] Use ldap_msgfree() instead of ldap_init() for the lber.h
- test. The ldap_init() function is marked as deprecated and not defined by
- default on some systems.  This can cause an error for compilers that do not
- support implicit function declarations. From Florian Weimer.
-
---- a/configure
-+++ b/configure
-@@ -31515,7 +31515,7 @@ else case e in #(
- int
- main (void)
- {
--(void)ldap_init(0, 0)
-+return ldap_msgfree(NULL)
-   ;
-   return 0;
- }
---- a/m4/ldap.m4
-+++ b/m4/ldap.m4
-@@ -52,7 +52,7 @@ AC_DEFUN([SUDO_CHECK_LDAP], [
- #include <lber.h>])
- 	AC_CACHE_CHECK([whether lber.h is needed when including ldap.h], [sudo_cv_header_lber_h], [
- 	    AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <sys/types.h>
--#include <ldap.h>]], [[(void)ldap_init(0, 0)]])], [
-+#include <ldap.h>]], [[return ldap_msgfree(NULL)]])], [
- 		# No need to explicitly include lber.h when including ldap.h.
- 		sudo_cv_header_lber_h=no
- 	    ], [
-
-From 075ee0f9dc234f9a7e680b16304809e5546965d5 Mon Sep 17 00:00:00 2001
-From: "Todd C. Miller" <Todd.Miller@sudo.ws>
-Date: Wed, 26 Apr 2023 12:44:10 -0600
-Subject: [PATCH] Add missing stdio.h include for the _FORTIFY_SOURCE=2 check.
- Implementations of _FORTIFY_SOURCE require the header file to be included. 
- Also remove the useless test of an empty program with _FORTIFY_SOURCE
- defined.  Pointed out by Florian Weimer.
-
---- a/configure
-+++ b/configure
-@@ -34207,33 +34207,11 @@ else case e in #(
-   e) cat confdefs.h - <<_ACEOF >conftest.$ac_ext
- /* end confdefs.h.  */
- 
--
--int
--main (void)
--{
--char buf[4]; (void)sprintf(buf, "%s", "foo");
--
--  ;
--  return 0;
--}
--_ACEOF
--if ac_fn_c_try_link "$LINENO"
--then :
--  sudo_cv_use_fortify_source=yes
--else case e in #(
--  e) sudo_cv_use_fortify_source=no
--		 ;;
--esac
--fi
--rm -f core conftest.err conftest.$ac_objext conftest.beam \
--    conftest$ac_exeext conftest.$ac_ext
--
--	    cat confdefs.h - <<_ACEOF >conftest.$ac_ext
--/* end confdefs.h.  */
--
-+		    #include <stdio.h>
- int
- main (void)
- {
-+char buf[4]; sprintf(buf, "%s", "foo"); return buf[0];
- 
-   ;
-   return 0;
---- a/m4/hardening.m4
-+++ b/m4/hardening.m4
-@@ -10,18 +10,13 @@ AC_DEFUN([SUDO_CHECK_HARDENING], [
- 	    [sudo_cv_use_fortify_source],
- 	    [AC_LINK_IFELSE([
- 		    AC_LANG_PROGRAM(
--			[[]], [[char buf[4]; (void)sprintf(buf, "%s", "foo");]]
-+			[[#include <stdio.h>]],
-+			[[char buf[4]; sprintf(buf, "%s", "foo"); return buf[0];]]
- 		    )],
- 		    [sudo_cv_use_fortify_source=yes],
- 		    [sudo_cv_use_fortify_source=no]
- 		)
- 	    ]
--	    [AC_LINK_IFELSE(
--		[AC_LANG_PROGRAM([[]], [[]])],
--		    [sudo_cv_use_fortify_source=yes],
--		    [sudo_cv_use_fortify_source=no]
--		)
--	    ]
- 	)
- 	if test "$sudo_cv_use_fortify_source" != yes; then
- 	    CPPFLAGS="$O_CPPFLAGS"
-

diff --git a/app-admin/sudo/sudo-1.9.13_p3-r1.ebuild b/app-admin/sudo/sudo-1.9.13_p3-r1.ebuild
deleted file mode 100644
index bf4360a2426e..000000000000
--- a/app-admin/sudo/sudo-1.9.13_p3-r1.ebuild
+++ /dev/null
@@ -1,290 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit pam libtool tmpfiles toolchain-funcs
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-
-if [[ ${PV} == 9999 ]] ; then
-	inherit mercurial
-	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
-	inherit verify-sig
-
-	uri_prefix=
-	case ${P} in
-		*_beta*|*_rc*) uri_prefix=beta/ ;;
-	esac
-
-	SRC_URI="
-		https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
-		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
-		verify-sig? (
-			https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
-			ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
-	fi
-
-	BDEPEND+="verify-sig? ( sec-keys/openpgp-keys-sudo )"
-fi
-
-S="${WORKDIR}/${MY_P}"
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
-	sys-libs/zlib:=
-	virtual/libcrypt:=
-	gcrypt? ( dev-libs/libgcrypt:= )
-	ldap? (
-		>=net-nds/openldap-2.1.30-r1:=
-		sasl? (
-			dev-libs/cyrus-sasl
-			net-nds/openldap:=[sasl]
-		)
-	)
-	pam? ( sys-libs/pam )
-	sasl? ( dev-libs/cyrus-sasl )
-	selinux? ( sys-libs/libselinux )
-	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	ssl? ( dev-libs/openssl:0= )
-	sssd? ( sys-auth/sssd[sudo] )
-"
-RDEPEND="
-	${DEPEND}
-	>=app-misc/editor-wrapper-3
-	virtual/editor
-	ldap? ( dev-lang/perl )
-	pam? ( sys-auth/pambase )
-	selinux? ( sec-policy/selinux-sudo )
-	sendmail? ( virtual/mta )
-"
-BDEPEND+="
-	sys-devel/bison
-	virtual/pkgconfig
-"
-
-REQUIRED_USE="
-	?? ( pam skey )
-	?? ( gcrypt ssl )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-PATCHES=(
-	"${FILESDIR}"/${PN}-1.9.13_p3-configure-clang16.patch
-)
-
-src_prepare() {
-	default
-
-	elibtoolize
-}
-
-set_secure_path() {
-	# First extract the default ROOTPATH from build env
-	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
-
-	case "${SECURE_PATH}" in
-		*/usr/sbin*)
-			;;
-		*)
-			SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
-			;;
-	esac
-
-	if [[ -z ${SECURE_PATH} ]] ; then
-		ewarn "	Failed to detect SECURE_PATH, please report this"
-	fi
-
-	# Then remove duplicate path entries
-	cleanpath() {
-		local newpath thisp IFS=:
-		for thisp in $1 ; do
-			if [[ :${newpath}: != *:${thisp}:* ]] ; then
-				newpath+=:${thisp}
-			else
-				einfo "   Duplicate entry ${thisp} removed..."
-			fi
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
-	# Finally, strip gcc paths, bug #136027
-	rmpath() {
-		local e newpath thisp IFS=:
-		for thisp in ${SECURE_PATH} ; do
-			for e ; do
-				[[ ${thisp} == ${e} ]] && continue 2 ;
-			done
-			newpath+=:${thisp}
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-}
-
-src_configure() {
-	local SECURE_PATH
-
-	set_secure_path
-
-	# bug #767712
-	tc-export PKG_CONFIG
-
-	# - audit: somebody got to explain me how I can test this before I
-	# enable it.. - Diego
-	# - plugindir: autoconf code is crappy and does not delay evaluation
-	# until `make` time, so we have to use a full path here rather than
-	# basing off other values.
-	local myeconfargs=(
-		# We set all of the relevant options by ourselves (patched
-		# into the toolchain) and setting these in the build system
-		# actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
-		# (it'll downgrade to =2). So, this has no functional effect on
-		# the hardening for users. It's safe.
-		--disable-hardening
-
-		# requires some python eclass
-		--disable-python
-		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
-		--enable-zlib=system
-		--with-editor="${EPREFIX}"/usr/libexec/editor
-		--with-env-editor
-		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
-		--with-rundir="${EPREFIX}"/run/sudo
-		--with-vardir="${EPREFIX}"/var/db/sudo
-		--without-linux-audit
-		--without-opie
-		$(use_enable gcrypt)
-		$(use_enable nls)
-		$(use_enable sasl)
-		$(use_enable ssl openssl)
-		$(use_with ldap)
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
-		$(use_with offensive insults)
-		$(use_with offensive all-insults)
-		$(use_with pam)
-		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
-		$(use_with selinux)
-		$(use_with sendmail)
-		$(use_with skey)
-		$(use_with sssd)
-	)
-
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-
-	if use ldap ; then
-		dodoc README.LDAP.md
-
-		cat <<-EOF > "${T}"/ldap.conf.sudo
-		# See ldap.conf(5) and README.LDAP.md for details
-		# This file should only be readable by root
-
-		# supported directives: host, port, ssl, ldap_version
-		# uri, binddn, bindpw, sudoers_base, sudoers_debug
-		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
-		EOF
-
-		if use sasl ; then
-			cat <<-EOF >> "${T}"/ldap.conf.sudo
-
-			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
-			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
-			EOF
-		fi
-
-		insinto /etc
-		doins "${T}"/ldap.conf.sudo
-		fperms 0440 /etc/ldap.conf.sudo
-
-		insinto /etc/openldap/schema
-		newins docs/schema.OpenLDAP sudo.schema
-	fi
-
-	if use pam ; then
-		pamd_mimic system-auth sudo auth account session
-		pamd_mimic system-auth sudo-i auth account session
-	fi
-
-	keepdir /var/db/sudo/lectured
-	fperms 0700 /var/db/sudo/lectured
-	# bug #652958
-	fperms 0711 /var/db/sudo
-
-	# Don't install into /run as that is a tmpfs most of the time
-	# (bug #504854)
-	rm -rf "${ED}"/run || die
-
-	# bug #697812
-	find "${ED}" -type f -name "*.la" -delete || die
-}
-
-pkg_postinst() {
-	tmpfiles_process sudo.conf
-
-	# bug #652958
-	local sudo_db="${EROOT}/var/db/sudo"
-	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
-		chmod 711 "${sudo_db}" || die
-	fi
-
-	if use ldap ; then
-		ewarn
-		ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
-		ewarn
-		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
-			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in ${ROOT}/etc/nsswitch.conf."
-			ewarn
-			ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
-			ewarn "  sudoers: ldap files"
-			ewarn
-		fi
-	fi
-	if use prefix ; then
-		ewarn
-		ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
-		ewarn "with root privileges, as follows:"
-		ewarn
-		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
-		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
-		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
-		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
-		ewarn
-	fi
-
-	elog "To use the -A (askpass) option, you need to install a compatible"
-	elog "password program from the following list. Starred packages will"
-	elog "automatically register for the use with sudo (but will not force"
-	elog "the -A option):"
-	elog ""
-	elog " [*] net-misc/ssh-askpass-fullscreen"
-	elog "     net-misc/x11-ssh-askpass"
-	elog ""
-	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
-	elog "variable to the program you want to use."
-}

diff --git a/app-admin/sudo/sudo-1.9.14_p2.ebuild b/app-admin/sudo/sudo-1.9.14_p2.ebuild
deleted file mode 100644
index 5b761d116733..000000000000
--- a/app-admin/sudo/sudo-1.9.14_p2.ebuild
+++ /dev/null
@@ -1,286 +0,0 @@
-# Copyright 1999-2023 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=8
-
-inherit pam libtool tmpfiles toolchain-funcs
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-
-if [[ ${PV} == 9999 ]] ; then
-	inherit mercurial
-	EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
-	VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
-	inherit verify-sig
-
-	uri_prefix=
-	case ${P} in
-		*_beta*|*_rc*) uri_prefix=beta/ ;;
-	esac
-
-	SRC_URI="
-		https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
-		ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
-		verify-sig? (
-			https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
-			ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
-		)
-	"
-
-	if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
-		KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
-	fi
-
-	BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
-fi
-
-S="${WORKDIR}/${MY_P}"
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
-	sys-libs/zlib:=
-	virtual/libcrypt:=
-	gcrypt? ( dev-libs/libgcrypt:= )
-	ldap? (
-		>=net-nds/openldap-2.1.30-r1:=
-		sasl? (
-			dev-libs/cyrus-sasl
-			net-nds/openldap:=[sasl]
-		)
-	)
-	pam? ( sys-libs/pam )
-	sasl? ( dev-libs/cyrus-sasl )
-	selinux? ( sys-libs/libselinux )
-	skey? ( >=sys-auth/skey-1.1.5-r1 )
-	ssl? ( dev-libs/openssl:= )
-	sssd? ( sys-auth/sssd[sudo] )
-"
-RDEPEND="
-	${DEPEND}
-	>=app-misc/editor-wrapper-3
-	virtual/editor
-	ldap? ( dev-lang/perl )
-	pam? ( sys-auth/pambase )
-	selinux? ( sec-policy/selinux-sudo )
-	sendmail? ( virtual/mta )
-"
-BDEPEND+="
-	sys-devel/bison
-	virtual/pkgconfig
-"
-
-REQUIRED_USE="
-	?? ( pam skey )
-	?? ( gcrypt ssl )
-"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
-	default
-
-	elibtoolize
-}
-
-set_secure_path() {
-	# First extract the default ROOTPATH from build env
-	SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
-
-	case "${SECURE_PATH}" in
-		*/usr/sbin*)
-			;;
-		*)
-			SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
-			;;
-	esac
-
-	if [[ -z ${SECURE_PATH} ]] ; then
-		ewarn "	Failed to detect SECURE_PATH, please report this"
-	fi
-
-	# Then remove duplicate path entries
-	cleanpath() {
-		local newpath thisp IFS=:
-		for thisp in $1 ; do
-			if [[ :${newpath}: != *:${thisp}:* ]] ; then
-				newpath+=:${thisp}
-			else
-				einfo "   Duplicate entry ${thisp} removed..."
-			fi
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
-	# Finally, strip gcc paths, bug #136027
-	rmpath() {
-		local e newpath thisp IFS=:
-		for thisp in ${SECURE_PATH} ; do
-			for e ; do
-				[[ ${thisp} == ${e} ]] && continue 2 ;
-			done
-			newpath+=:${thisp}
-		done
-		SECURE_PATH=${newpath#:}
-	}
-	rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-}
-
-src_configure() {
-	local SECURE_PATH
-
-	set_secure_path
-
-	# bug #767712
-	tc-export PKG_CONFIG
-
-	# - audit: somebody got to explain me how I can test this before I
-	# enable it.. - Diego
-	# - plugindir: autoconf code is crappy and does not delay evaluation
-	# until `make` time, so we have to use a full path here rather than
-	# basing off other values.
-	local myeconfargs=(
-		# We set all of the relevant options by ourselves (patched
-		# into the toolchain) and setting these in the build system
-		# actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
-		# (it'll downgrade to =2). So, this has no functional effect on
-		# the hardening for users. It's safe.
-		--disable-hardening
-
-		# requires some python eclass
-		--disable-python
-		--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
-		--enable-zlib=system
-		--with-editor="${EPREFIX}"/usr/libexec/editor
-		--with-env-editor
-		--with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
-		--with-rundir="${EPREFIX}"/run/sudo
-		--with-vardir="${EPREFIX}"/var/db/sudo
-		--without-linux-audit
-		--without-opie
-		$(use_enable gcrypt)
-		$(use_enable nls)
-		$(use_enable sasl)
-		$(use_enable ssl openssl)
-		$(use_with ldap)
-		$(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
-		$(use_with offensive insults)
-		$(use_with offensive all-insults)
-		$(use_with pam)
-		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
-		$(use_with selinux)
-		$(use_with sendmail)
-		$(use_with skey)
-		$(use_with sssd)
-	)
-
-	econf "${myeconfargs[@]}"
-}
-
-src_install() {
-	default
-
-	if use ldap ; then
-		dodoc README.LDAP.md
-
-		cat <<-EOF > "${T}"/ldap.conf.sudo
-		# See ldap.conf(5) and README.LDAP.md for details
-		# This file should only be readable by root
-
-		# supported directives: host, port, ssl, ldap_version
-		# uri, binddn, bindpw, sudoers_base, sudoers_debug
-		# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
-		EOF
-
-		if use sasl ; then
-			cat <<-EOF >> "${T}"/ldap.conf.sudo
-
-			# SASL directives: use_sasl, sasl_mech, sasl_auth_id
-			# sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
-			EOF
-		fi
-
-		insinto /etc
-		doins "${T}"/ldap.conf.sudo
-		fperms 0440 /etc/ldap.conf.sudo
-
-		insinto /etc/openldap/schema
-		newins docs/schema.OpenLDAP sudo.schema
-	fi
-
-	if use pam ; then
-		pamd_mimic system-auth sudo auth account session
-		pamd_mimic system-auth sudo-i auth account session
-	fi
-
-	keepdir /var/db/sudo/lectured
-	fperms 0700 /var/db/sudo/lectured
-	# bug #652958
-	fperms 0711 /var/db/sudo
-
-	# Don't install into /run as that is a tmpfs most of the time
-	# (bug #504854)
-	rm -rf "${ED}"/run || die
-
-	# bug #697812
-	find "${ED}" -type f -name "*.la" -delete || die
-}
-
-pkg_postinst() {
-	tmpfiles_process sudo.conf
-
-	# bug #652958
-	local sudo_db="${EROOT}/var/db/sudo"
-	if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
-		chmod 711 "${sudo_db}" || die
-	fi
-
-	if use ldap ; then
-		ewarn
-		ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
-		ewarn
-		if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
-			ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
-			ewarn "configured in ${ROOT}/etc/nsswitch.conf."
-			ewarn
-			ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
-			ewarn "  sudoers: ldap files"
-			ewarn
-		fi
-	fi
-	if use prefix ; then
-		ewarn
-		ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
-		ewarn "with root privileges, as follows:"
-		ewarn
-		ewarn "  # chown root:root ${EPREFIX}/usr/bin/sudo"
-		ewarn "  # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers"
-		ewarn "  # chown root:root ${EPREFIX}/etc/sudoers.d"
-		ewarn "  # chown root:root ${EPREFIX}/var/db/sudo"
-		ewarn "  # chmod 4111 ${EPREFIX}/usr/bin/sudo"
-		ewarn
-	fi
-
-	elog "To use the -A (askpass) option, you need to install a compatible"
-	elog "password program from the following list. Starred packages will"
-	elog "automatically register for the use with sudo (but will not force"
-	elog "the -A option):"
-	elog ""
-	elog " [*] net-misc/ssh-askpass-fullscreen"
-	elog "     net-misc/x11-ssh-askpass"
-	elog ""
-	elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
-	elog "variable to the program you want to use."
-}


^ permalink raw reply related	[flat|nested] 9+ messages in thread

* [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/
@ 2024-10-29  2:45 Sam James
  0 siblings, 0 replies; 9+ messages in thread
From: Sam James @ 2024-10-29  2:45 UTC (permalink / raw
  To: gentoo-commits

commit:     13f11b1b10bc995b910fd1538ce1e5c41ac69c7a
Author:     Sam James <sam <AT> gentoo <DOT> org>
AuthorDate: Tue Oct 29 02:31:59 2024 +0000
Commit:     Sam James <sam <AT> gentoo <DOT> org>
CommitDate: Tue Oct 29 02:31:59 2024 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=13f11b1b

app-admin/sudo: add 1.9.16

Signed-off-by: Sam James <sam <AT> gentoo.org>

 app-admin/sudo/Manifest                            |  2 +
 .../sudo-1.9.16-allow-disabling-secure-path.patch  | 54 ++++++++++++++++++++++
 .../sudo/{sudo-9999.ebuild => sudo-1.9.16.ebuild}  | 13 ++++--
 app-admin/sudo/sudo-9999.ebuild                    | 13 ++++--
 4 files changed, 76 insertions(+), 6 deletions(-)

diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index 90f9f2b10c40..f24674d78d62 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,2 +1,4 @@
 DIST sudo-1.9.15p5.tar.gz 5306611 BLAKE2B 73ee598c2a2848d5be24f97492b13eba2f326c514799220e43a1aeafc6692224a7555fb7cc0a96a2720751d3e4d98e752804db589ac3c1476f24e71f5b9bc720 SHA512 ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a
 DIST sudo-1.9.15p5.tar.gz.sig 566 BLAKE2B ddd8fed1b3721aafdb32b762834168063c3f0f003ef5d83f1883615320da6fe89b08d72c8e893c8b2bf9fd892a40e47cc77d72672e43b5a24db50e7194d9bc4c SHA512 97480a3d27b546a93e997c3a1e8169904a7625ab8fa6198d0b7e1d2d040f55b2d58462cd08e5cc97c2f1c817b12343e35cdd7db207aee42785f2b95b17c600b0
+DIST sudo-1.9.16.tar.gz 5392026 BLAKE2B 19daa789af3ca2c4832950f0dd6f26a97285fdc155f0d7c18ec1f1accafce9b86f2f5730d3bb0b8e7717c0c55f4079928e03acb3974cb2652c58d4bcb2f74a12 SHA512 1b0254eb5b75422bffd31a2ae8c56cb4e8e2ecc08e2fa687eddb638d4f2de2585fa7621c868c03423e9d636bfb5679a3758d504155dbdfd3eebfbdcbd8b58f7c
+DIST sudo-1.9.16.tar.gz.sig 566 BLAKE2B 9eb9fd2db0de5b9ce965c2109a9722e0b5f0793b7c9003123b1540d7cb5b8178043221296fd51c7f0b24ce1b1cda9f196a6d50083da172ca2afcb8f130d8eae1 SHA512 edf066f9ffdf2653468f8b45866a65214f0dff0164318d5f6bd9252f6211e82522161b1b9621798fbc9112253e6940d7137d18e8b42e8c6e5ba52ccac64d99cf

diff --git a/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch b/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch
new file mode 100644
index 000000000000..8fda41a2b73f
--- /dev/null
+++ b/app-admin/sudo/files/sudo-1.9.16-allow-disabling-secure-path.patch
@@ -0,0 +1,54 @@
+https://github.com/sudo-project/sudo/commit/131e7e2de02ab53cfefefe93978d7fee4cb8142d
+
+From 131e7e2de02ab53cfefefe93978d7fee4cb8142d Mon Sep 17 00:00:00 2001
+From: Andy Fiddaman <illumos@fiddaman.net>
+Date: Tue, 17 Sep 2024 12:49:13 +0000
+Subject: [PATCH] Allow --secure-path-value=no
+
+This adds support for --with-secure-path-value=no to allow packagers
+to ship the sudoers configuration file with the secure path
+line commented out if required.
+--- a/configure.ac
++++ b/configure.ac
+@@ -177,6 +177,7 @@ AC_SUBST([sssd_lib])
+ AC_SUBST([nsswitch_conf])
+ AC_SUBST([netsvc_conf])
+ AC_SUBST([secure_path])
++AC_SUBST([secure_path_config])
+ AC_SUBST([secure_path_status])
+ AC_SUBST([editor])
+ AC_SUBST([pam_session])
+@@ -230,6 +231,7 @@ sesh_file="$libexecdir/sudo/sesh"
+ visudo="$sbindir/visudo"
+ nsswitch_conf=/etc/nsswitch.conf
+ secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
++secure_path_config=
+ secure_path_status="disabled"
+ pam_session=on
+ pam_login_service=sudo
+@@ -1068,9 +1070,11 @@ AC_ARG_WITH(ldap-secret-file, [AS_HELP_STRING([--with-ldap-secret-file], [path t
+ test -n "$with_ldap_secret_file" && ldap_secret="$with_ldap_secret_file"
+ SUDO_DEFINE_UNQUOTED(_PATH_LDAP_SECRET, "$ldap_secret", [Path to the ldap.secret file])
+ 
+-AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file])],
++AC_ARG_WITH(secure-path-value, [AS_HELP_STRING([--with-secure-path-value], [value of secure_path in the default sudoers file, or "no" to comment out by default])],
+ [case $with_secure_path_value in
+-    yes|no)	AC_MSG_ERROR([must give --secure-path-value an argument.])
++    yes)	AC_MSG_ERROR([must give --with-secure-path-value an argument.])
++		;;
++    no)		secure_path_config="# "
+ 		;;
+     *)		secure_path="$with_secure_path_value"
+ 		;;
+--- a/plugins/sudoers/sudoers.in
++++ b/plugins/sudoers/sudoers.in
+@@ -48,7 +48,7 @@ Defaults!@visudo@ env_keep += "SUDO_EDITOR EDITOR VISUAL"
+ ## Use a hard-coded PATH instead of the user's to find commands.
+ ## This also helps prevent poorly written scripts from running
+ ## artbitrary commands under sudo.
+-Defaults secure_path="@secure_path@"
++@secure_path_config@Defaults secure_path="@secure_path@"
+ ##
+ ## You may wish to keep some of the following environment variables
+ ## when running commands via sudo.
+

diff --git a/app-admin/sudo/sudo-9999.ebuild b/app-admin/sudo/sudo-1.9.16.ebuild
similarity index 95%
copy from app-admin/sudo/sudo-9999.ebuild
copy to app-admin/sudo/sudo-1.9.16.ebuild
index d020a1a1f339..868cb8e860d0 100644
--- a/app-admin/sudo/sudo-9999.ebuild
+++ b/app-admin/sudo/sudo-1.9.16.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=8
 
-inherit pam libtool tmpfiles toolchain-funcs
+inherit autotools pam libtool tmpfiles toolchain-funcs
 
 MY_P="${P/_/}"
 MY_P="${MY_P/beta/b}"
@@ -86,10 +86,16 @@ REQUIRED_USE="
 
 MAKEOPTS+=" SAMPLES="
 
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.9.16-allow-disabling-secure-path.patch
+)
+
 src_prepare() {
 	default
 
-	elibtoolize
+	# eautoreconf temporarily for allow-disabling-secure-path patch
+	# in 1.9.16; revert to elibtoolize once that is gone.
+	eautoreconf
 }
 
 set_secure_path() {
@@ -178,7 +184,8 @@ src_configure() {
 		$(use_with offensive all-insults)
 		$(use_with pam)
 		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
+		$(use_with secure-path)
+		--with-secure-path-value="${SECURE_PATH}"
 		$(use_with selinux)
 		$(use_with sendmail)
 		$(use_with skey)

diff --git a/app-admin/sudo/sudo-9999.ebuild b/app-admin/sudo/sudo-9999.ebuild
index d020a1a1f339..868cb8e860d0 100644
--- a/app-admin/sudo/sudo-9999.ebuild
+++ b/app-admin/sudo/sudo-9999.ebuild
@@ -3,7 +3,7 @@
 
 EAPI=8
 
-inherit pam libtool tmpfiles toolchain-funcs
+inherit autotools pam libtool tmpfiles toolchain-funcs
 
 MY_P="${P/_/}"
 MY_P="${MY_P/beta/b}"
@@ -86,10 +86,16 @@ REQUIRED_USE="
 
 MAKEOPTS+=" SAMPLES="
 
+PATCHES=(
+	"${FILESDIR}"/${PN}-1.9.16-allow-disabling-secure-path.patch
+)
+
 src_prepare() {
 	default
 
-	elibtoolize
+	# eautoreconf temporarily for allow-disabling-secure-path patch
+	# in 1.9.16; revert to elibtoolize once that is gone.
+	eautoreconf
 }
 
 set_secure_path() {
@@ -178,7 +184,8 @@ src_configure() {
 		$(use_with offensive all-insults)
 		$(use_with pam)
 		$(use_with pam pam-login)
-		$(use_with secure-path secure-path "${SECURE_PATH}")
+		$(use_with secure-path)
+		--with-secure-path-value="${SECURE_PATH}"
 		$(use_with selinux)
 		$(use_with sendmail)
 		$(use_with skey)


^ permalink raw reply related	[flat|nested] 9+ messages in thread

end of thread, other threads:[~2024-10-29  2:45 UTC | newest]

Thread overview: 9+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-29  2:45 [gentoo-commits] repo/gentoo:master commit in: app-admin/sudo/files/, app-admin/sudo/ Sam James
  -- strict thread matches above, loose matches on Subject: below --
2023-12-15  5:15 Sam James
2022-11-05  2:07 Sam James
2021-05-15 22:15 David Seifert
2021-01-30 10:19 Lars Wendler
2021-01-11 15:59 Lars Wendler
2020-12-01 10:37 Lars Wendler
2020-11-24 17:32 Lars Wendler
2020-09-07 20:44 Mike Gilbert

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox