Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-admin
diff options
context:
space:
mode:
authorDiego Elio Pettenò <flameeyes@gentoo.org>2011-01-19 14:56:41 +0000
committerDiego Elio Pettenò <flameeyes@gentoo.org>2011-01-19 14:56:41 +0000
commitea3d61165059758ff6e1b82fb5b3c87260368211 (patch)
tree06c5d385375595fa1b5c830a5d009e3135682c8d /app-admin
parentLower gcalctool and gnome-games requirements as their .30. versions are not r... (diff)
downloadhistorical-ea3d61165059758ff6e1b82fb5b3c87260368211.tar.gz
historical-ea3d61165059758ff6e1b82fb5b3c87260368211.tar.bz2
historical-ea3d61165059758ff6e1b82fb5b3c87260368211.zip
Version bump.
Package-Manager: portage-2.2.0_alpha17/cvs/Linux x86_64
Diffstat (limited to 'app-admin')
-rw-r--r--app-admin/sudo/ChangeLog7
-rw-r--r--app-admin/sudo/Manifest14
-rw-r--r--app-admin/sudo/sudo-1.7.4_p6.ebuild240
3 files changed, 259 insertions, 2 deletions
diff --git a/app-admin/sudo/ChangeLog b/app-admin/sudo/ChangeLog
index 63a65a76e70b..216fd02cc7aa 100644
--- a/app-admin/sudo/ChangeLog
+++ b/app-admin/sudo/ChangeLog
@@ -1,6 +1,11 @@
# ChangeLog for app-admin/sudo
# Copyright 1999-2011 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.256 2011/01/15 12:32:50 armin76 Exp $
+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.257 2011/01/19 14:56:41 flameeyes Exp $
+
+*sudo-1.7.4_p6 (19 Jan 2011)
+
+ 19 Jan 2011; Diego E. Pettenò <flameeyes@gentoo.org> +sudo-1.7.4_p6.ebuild:
+ Version bump.
15 Jan 2011; Raúl Porcel <armin76@gentoo.org> sudo-1.7.4_p5.ebuild:
alpha/ia64/m68k/s390/sh/sparc stable wrt #351490
diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index dfc56a9a9e17..ac2dd1deaf99 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,8 +1,20 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA1
+
AUX sudo-CVE-2010-2956.patch 2815 RMD160 6d48eb1dce125a129e56a208ee47bd502f0cd18a SHA1 ab3dbcc8de166bdf01aef0cf0bc53a6d86950c95 SHA256 4cc2c68d65a8ce95e3b248a426774a20896d36cbf21980137c77af1f0b674c4b
AUX sudo-skeychallengeargs.diff 567 RMD160 906ee43a7c2f21d1cf5130eac5c98ef0833154fd SHA1 b0efbedc72a1ed85c74ba10e343a68368e76c3e9 SHA256 dd2f4fdba26be6c3b4af15f3b6e18efa19375e1f9c579cdc2c76ee1adcce5e1d
DIST sudo-1.7.4p4.tar.gz 963663 RMD160 3b5eb69b4317c72def0e811c58a24df8c9c1c892 SHA1 c873f509f80d5722989a912a42a61ad27b71453f SHA256 38de3c3e08346b2b8dcb3cf7ed0813300d1a1d5696d0f338ea8a4ef232aacf97
DIST sudo-1.7.4p5.tar.gz 966176 RMD160 24fcaa065f9efc229abcf2b70ec4faca03efa32d SHA1 bb9c9ff6ce6d4c70bdc546316442e7021ca754c2 SHA256 72e8e3545f314d342f178b0fee4b483e26d70ef132b081699be035da0f0acbba
+DIST sudo-1.7.4p6.tar.gz 966234 RMD160 a6680042cf1836a96552953f546483c238e4ce9c SHA1 a306863b8bde9bfe2430ac1daaa6f45ccb842ed4 SHA256 20091ef71018698c674c779f4b57178b2ecb4275fa34909b06219d2688ad14d5
EBUILD sudo-1.7.4_p4.ebuild 7209 RMD160 66eab6cd5ccf87e87913bcd52bde8791e316fe82 SHA1 4bfedb8f6a7354f50422cb8b4baaf266699b5b7c SHA256 0ffac351399a497f94ffd4f674dc2fea9e9e6aed80936aea27bc8ff998ca73bb
EBUILD sudo-1.7.4_p5.ebuild 7208 RMD160 3e8714403edb762e6e31c084001a82fb7160fbf7 SHA1 7a5fa03c5c68ef5ad43dab98ddeb53d43b4cea9a SHA256 5dcdf6cf6e8a73dae5cdd92d2b447dfb9c7e959eab14fc76ca31a3e0f82d3d26
-MISC ChangeLog 35824 RMD160 45ca56ef80f01e60c99a52236270c948ff0c9caf SHA1 d057a10e3d1aed91a9bdd01f4125a7fd66a8201c SHA256 ef51e47aecf8ee694fbaf303052f593eeb97bcce9c7e4eecd6b8461ab94098e9
+EBUILD sudo-1.7.4_p6.ebuild 7222 RMD160 faef30c4b993d800e9e3730134c34ad7646725c0 SHA1 f79b35cee5f1a46d0077ddf291c268fb12eca0e8 SHA256 9e9d8519cc41d68760c819b72819be1ff3b05ead0ccc13851256645ad978fc1a
+MISC ChangeLog 35952 RMD160 439fc92a74d436cd7e7d95be8bd41e4c35c6ecaa SHA1 87e6418b7553a893942b7044fc408e00e09f09de SHA256 689deb25e048a9537ac495ca20f58be6e2a903063165b956ca8fc2c25a64523d
MISC metadata.xml 434 RMD160 a713e5ffdcc2216a46f5023ab77c6e3aeed0d183 SHA1 49a31df517e1ec39344ac83c13e9fca87379d261 SHA256 87e2d9f4535e80f4ba1f73366040bb23cfb4b1f3101c0e33df73aff2e77fc13f
+-----BEGIN PGP SIGNATURE-----
+Version: GnuPG v2.0.17 (GNU/Linux)
+
+iEYEARECAAYFAk02+5AACgkQAiZjviIA2Xhv1gCg5Zh9yw5bVdhrgCvc8LlzivlN
+BaUAoNe4gWgxuYwUQywgkPkTW5dF34m9
+=yswT
+-----END PGP SIGNATURE-----
diff --git a/app-admin/sudo/sudo-1.7.4_p6.ebuild b/app-admin/sudo/sudo-1.7.4_p6.ebuild
new file mode 100644
index 000000000000..8062b233cdac
--- /dev/null
+++ b/app-admin/sudo/sudo-1.7.4_p6.ebuild
@@ -0,0 +1,240 @@
+# Copyright 1999-2011 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.7.4_p6.ebuild,v 1.1 2011/01/19 14:56:41 flameeyes Exp $
+
+inherit eutils pam
+
+MY_P=${P/_/}
+MY_P=${MY_P/beta/b}
+
+case "${P}" in
+ *_beta* | *_rc*)
+ uri_prefix=beta/
+ ;;
+ *)
+ uri_prefix=""
+ ;;
+esac
+
+DESCRIPTION="Allows users or groups to run commands as other users"
+HOMEPAGE="http://www.sudo.ws/"
+SRC_URI="http://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
+
+# Basic license is ISC-style as-is, some files are released under
+# 3-clause BSD license
+LICENSE="as-is BSD"
+
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86 ~sparc-fbsd ~x86-fbsd"
+IUSE="pam skey offensive ldap selinux"
+
+DEPEND="pam? ( virtual/pam )
+ ldap? (
+ >=net-nds/openldap-2.1.30-r1
+ dev-libs/cyrus-sasl
+ )
+ !pam? ( skey? ( >=sys-auth/skey-1.1.5-r1 ) )
+ app-editors/gentoo-editor
+ virtual/editor
+ virtual/mta"
+RDEPEND="selinux? ( sec-policy/selinux-sudo )
+ ldap? ( dev-lang/perl )
+ pam? ( sys-auth/pambase )
+ ${DEPEND}"
+DEPEND="${DEPEND}
+ sys-devel/bison"
+
+S=${WORKDIR}/${MY_P}
+
+pkg_setup() {
+ if use pam && use skey; then
+ ewarn "You cannot enable both S/KEY and PAM at the same time, PAM will"
+ ewarn "be used then."
+ fi
+}
+
+src_unpack() {
+ unpack ${A}; cd "${S}"
+
+ # compatability fix.
+ epatch "${FILESDIR}"/${PN}-skeychallengeargs.diff
+
+ # additional variables to disallow, should user disable env_reset.
+
+ # NOTE: this is not a supported mode of operation, these variables
+ # are added to the blacklist as a convenience to administrators
+ # who fail to heed the warnings of allowing untrusted users
+ # to access sudo.
+ #
+ # there is *no possible way* to foresee all attack vectors in
+ # all possible applications that could potentially be used via
+ # sudo, these settings will just delay the inevitable.
+ #
+ # that said, I will accept suggestions for variables that can
+ # be misused in _common_ interpreters or libraries, such as
+ # perl, bash, python, ruby, etc., in the hope of dissuading
+ # a casual attacker.
+
+ # XXX: perl should be using suid_perl.
+ # XXX: users can remove/add more via env_delete and env_check.
+ # XXX: <?> = probably safe enough for most circumstances.
+
+ einfo "Blacklisting common variables (env_delete)..."
+ sudo_bad_var() {
+ local target='env.c' marker='\*initial_badenv_table\[\]'
+
+ ebegin " $1"
+ sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' "${S}"/${target}
+ eend $?
+ }
+
+ sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file.
+ sudo_bad_var 'FPATH' # ksh, search path for functions.
+ sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?>
+ sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?>
+ sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?>
+ sudo_bad_var 'PYTHONHOME' # python, module search path.
+ sudo_bad_var 'PYTHONPATH' # python, search path.
+ sudo_bad_var 'PYTHONINSPECT' # python, allow inspection.
+ sudo_bad_var 'RUBYLIB' # ruby, lib load path.
+ sudo_bad_var 'RUBYOPT' # ruby, cl options.
+ sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles.
+ einfo "...done."
+
+ # prevent binaries from being stripped.
+ sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in
+}
+
+src_compile() {
+ local line ROOTPATH
+
+ # FIXME: secure_path is a compile time setting. using ROOTPATH
+ # is not perfect, env-update may invalidate this, but until it
+ # is available as a sudoers setting this will have to do.
+ einfo "Setting secure_path..."
+
+ # why not use grep? variable might be expanded from other variables
+ # declared in that file. cannot just source the file, would override
+ # any variables already set.
+ eval `PS4= bash -x /etc/profile.env 2>&1 | \
+ while read line; do
+ case $line in
+ ROOTPATH=*) echo $line; break;;
+ *) continue;;
+ esac
+ done` && einfo " Found ROOTPATH..." || \
+ ewarn " Failed to find ROOTPATH, please report this."
+
+ # remove duplicate path entries from $1
+ cleanpath() {
+ local i=1 x n IFS=:
+ local -a paths; paths=($1)
+
+ for ((n=${#paths[*]}-1;i<=n;i++)); do
+ for ((x=0;x<i;x++)); do
+ test "${paths[i]}" == "${paths[x]}" && {
+ einfo " Duplicate entry ${paths[i]} removed..." 1>&2
+ unset paths[i]; continue 2; }
+ done; # einfo " Adding ${paths[i]}..." 1>&2
+ done; echo "${paths[*]}"
+ }
+
+ ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}})
+
+ # strip gcc path (bug #136027)
+ rmpath() {
+ declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=:
+ shift
+ for thisp in $oldpath; do
+ for e; do [[ $thisp == $e ]] && continue 2; done
+ newpath=$newpath:$thisp
+ done
+ eval $PATHvar='${newpath#:}'
+ }
+
+ rmpath ROOTPATH '*/gcc-bin/*'
+
+ einfo "...done."
+
+ if use pam; then
+ myconf="--with-pam --without-skey"
+ elif use skey; then
+ myconf="--without-pam --with-skey"
+ else
+ myconf="--without-pam --without-skey"
+ fi
+
+ # audit: somebody got to explain me how I can test this before I
+ # enable it.. — Diego
+ econf --with-secure-path="${ROOTPATH}" \
+ --with-editor=/usr/libexec/gentoo-editor \
+ --with-env-editor \
+ $(use_with offensive insults) \
+ $(use_with offensive all-insults) \
+ $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \
+ $(use_with ldap) \
+ --without-linux-audit \
+ --with-timedir=/var/db/sudo \
+ --docdir=/usr/share/doc/${PF} \
+ ${myconf}
+
+ emake || die
+}
+
+src_install() {
+ emake DESTDIR="${D}" install || die
+
+ if use ldap; then
+ dodoc README.LDAP schema.OpenLDAP
+ dosbin sudoers2ldif
+
+ cat - > "${T}"/ldap.conf.sudo <<EOF
+# See ldap.conf(5) and README.LDAP for details\n"
+# This file should only be readable by root\n\n"
+# supported directives: host, port, ssl, ldap_version\n"
+# uri, binddn, bindpw, sudoers_base, sudoers_debug\n"
+# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key
+EOF
+
+ insinto /etc
+ doins "${T}"/ldap.conf.sudo
+ fperms 0440 /etc/ldap.conf.sudo
+ fi
+
+ pamd_mimic system-auth sudo auth account session
+
+ insinto /etc
+ doins "${S}"/sudoers
+ fperms 0440 /etc/sudoers
+
+ keepdir /var/db/sudo
+ fperms 0700 /var/db/sudo
+}
+
+pkg_postinst() {
+ if use ldap; then
+ ewarn
+ ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
+ ewarn
+ if egrep -q '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf; then
+ ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
+ ewarn "configured in /etc/nsswitch.conf."
+ ewarn
+ ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
+ ewarn " sudoers: ldap files"
+ ewarn
+ fi
+ fi
+
+ elog "To use the -A (askpass) option, you need to install a compatible"
+ elog "password program from the following list. Starred packages will"
+ elog "automatically register for the use with sudo (but will not force"
+ elog "the -A option):"
+ elog ""
+ elog " [*] net-misc/ssh-askpass-fullscreen"
+ elog " net-misc/x11-ssh-askpass"
+ elog ""
+ elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
+ elog "variable to the program you want to use."
+}