diff options
| author |   Raphaël Marichez <falco@gentoo.org> | 2008-04-15 11:38:17 +0200 |
|---|---|---|
| committer | Raphaël Marichez <falco@gentoo.org> | 2008-04-15 11:38:17 +0200 |
| commit | f797738dec2de8edda2b4b50b22264451f234e31 (patch) | |
| tree | 74957c5b35315179cf6b4211506515f4b1dad8ac | |
| parent | wrong dir (diff) | |
| download | falco-f797738dec2de8edda2b4b50b22264451f234e31.tar.gz falco-f797738dec2de8edda2b4b50b22264451f234e31.tar.bz2 falco-f797738dec2de8edda2b4b50b22264451f234e31.zip | |
sudo: own patch for logging the SSH_CLIENT env variable
Signed-off-by: Raphaël Marichez <falco@gentoo.org>
| -rw-r--r-- | app-admin/sudo/ChangeLog | 338 | ||||
| -rw-r--r-- | app-admin/sudo/Manifest | 52 | ||||
| -rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p11 | 1 | ||||
| -rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p12 | 1 | ||||
| -rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 | 3 | ||||
| -rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p9 | 1 | ||||
| -rw-r--r-- | app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 | 3 | ||||
| -rw-r--r-- | app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff | 43 | ||||
| -rw-r--r-- | app-admin/sudo/files/sudo | 6 | ||||
| -rw-r--r-- | app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff | 46 | ||||
| -rw-r--r-- | app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff | 10 | ||||
| -rw-r--r-- | app-admin/sudo/files/sudo-ldap_timelimit.diff | 76 | ||||
| -rw-r--r-- | app-admin/sudo/files/sudo-skeychallengeargs.diff | 15 | ||||
| -rw-r--r-- | app-admin/sudo/files/sudoers | 55 | ||||
| -rw-r--r-- | app-admin/sudo/metadata.xml | 15 | ||||
| -rw-r--r-- | app-admin/sudo/sudo-1.6.8_p12-r1.ebuild | 202 | ||||
| -rw-r--r-- | app-admin/sudo/sudo-1.6.8_p9-r2.ebuild | 199 |
17 files changed, 1066 insertions, 0 deletions
diff --git a/app-admin/sudo/ChangeLog b/app-admin/sudo/ChangeLog new file mode 100644 index 0000000..9b0ca37 --- /dev/null +++ b/app-admin/sudo/ChangeLog @@ -0,0 +1,338 @@ +# ChangeLog for app-admin/sudo +# Copyright 2002-2005 Gentoo Foundation; Distributed under the GPL v2 +# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/ChangeLog,v 1.88 2005/12/25 14:18:27 flameeyes Exp $ + + 25 Dec 2005; Diego Pettenò <flameeyes@gentoo.org> sudo-1.6.8_p12.ebuild: + Use bindnow-flags function instead of -Wl,-z,now. + + 24 Nov 2005; Markus Rothe <corsair@gentoo.org> sudo-1.6.8_p9-r2.ebuild: + Stable on ppc64 + +*sudo-1.6.8_p12 (12 Nov 2005) + + 12 Nov 2005; Tavis Ormandy <taviso@gentoo.org> +sudo-1.6.8_p12.ebuild: + bump + +*sudo-1.6.8_p11 (29 Oct 2005) + + 29 Oct 2005; Tavis Ormandy <taviso@gentoo.org> +sudo-1.6.8_p11.ebuild: + bump + + 11 Oct 2005; <dang@gentoo.org> sudo-1.6.8_p9-r2.ebuild: + Marked stable on amd64 + + 06 Oct 2005; Hardave Riar <hardave@gentoo.org> sudo-1.6.8_p9-r2.ebuild: + Stable on mips. + + 03 Oct 2005; Michael Hanselmann <hansmi@gentoo.org> + sudo-1.6.8_p9-r2.ebuild: + Stable on hppa, ppc, sparc. + + 02 Oct 2005; Aron Griffis <agriffis@gentoo.org> sudo-1.6.8_p9-r2.ebuild: + Mark 1.6.8_p9-r2 stable on alpha + + 02 Oct 2005; Aron Griffis <agriffis@gentoo.org> sudo-1.6.8_p9-r2.ebuild: + Mark 1.6.8_p9-r2 stable on ia64 + + 02 Oct 2005; Andrea Barisani <lcars@gentoo.org> sudo-1.6.8_p9-r2.ebuild: + Stable on x86 + + 25 Sep 2005; Tavis Ormandy <taviso@gentoo.org> files/sudo, + -files/sudo-1.6.7_p5-strip-bash-functions.diff, -files/sudo-1.6.8_p8, + -files/sudo-strip-bash-functions.diff, -files/sudo-strip-shellopts.diff, + -files/sudo_include, -sudo-1.6.7_p5-r2.ebuild, -sudo-1.6.7_p5-r5.ebuild, + -sudo-1.6.8_p9-r1.ebuild, sudo-1.6.8_p9-r2.ebuild, sudo-1.6.8_p9.ebuild: + remove stale patches, files, ebuilds, etc. + + 21 Sep 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p9-r2.ebuild: + fix #106765, sudo requires owner does not have write permission. + + 18 Sep 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p9-r2.ebuild: + add dependency required for selinux. #106350 + +*sudo-1.6.8_p9-r2 (05 Jul 2005) + + 05 Jul 2005; Andrea Barisani <lcars@gentoo.org> + +files/sudo-ldap_timelimit.diff, +sudo-1.6.8_p9-r2.ebuild: + Added ldap failover patch, bug #96766. Minor change to ldap.conf.sudo. + + 02 Jul 2005; Hardave Riar <hardave@gentoo.org> sudo-1.6.8_p9.ebuild, + sudo-1.6.8_p9-r1.ebuild: + Stable on mips, bug #96618. Also adding dropped ~mips keyword. + + 29 Jun 2005; Tavis Ormandy <taviso@gentoo.org> metadata.xml: + added lcars as maintainer of ldap support. + +*sudo-1.6.8_p9-r1 (29 Jun 2005) + + 29 Jun 2005; Tavis Ormandy <taviso@gentoo.org> -sudo-1.6.7_p5-r4.ebuild, + -sudo-1.6.8_p8-r2.ebuild, -sudo-1.6.8_p8-r3.ebuild, + +sudo-1.6.8_p9-r1.ebuild: + use a secure copy of ldap.conf to prevent local information leak. + + 23 Jun 2005; Olivier Crête <tester@gentoo.org> sudo-1.6.8_p9.ebuild: + Stable on x86 + + 21 Jun 2005; Fernando J. Pereda <ferdy@gentoo.org> sudo-1.6.8_p9.ebuild: + stable on alpha, wrt bug #96618 + + 21 Jun 2005; <plasmaroo@gentoo.org> sudo-1.6.8_p9.ebuild: + Stable on IA64: Bug #96618. + + 21 Jun 2005; Gustavo Zacarias <gustavoz@gentoo.org> sudo-1.6.8_p9.ebuild: + Stable on sparc wrt #96618 + + 21 Jun 2005; Simon Stelling <blubb@gentoo.org> sudo-1.6.8_p9.ebuild: + stable on amd64 wrt bug 96618 + + 21 Jun 2005; Rene Nussbaumer <killerfox@gentoo.org> sudo-1.6.8_p9.ebuild: + Stable on hppa. bug #96618 + + 21 Jun 2005; Markus Rothe <corsair@gentoo.org> sudo-1.6.8_p9.ebuild: + Stable on ppc64; bug #96618 + + 21 Jun 2005; Michael Hanselmann <hansmi@gentoo.org> sudo-1.6.8_p9.ebuild: + Stable on ppc (#96618). + + 20 Jun 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p9.ebuild: + depend on virtual/mta + +*sudo-1.6.8_p9 (20 Jun 2005) + + 20 Jun 2005; Tavis Ormandy <taviso@gentoo.org> +sudo-1.6.8_p9.ebuild: + new version fixes security issue. + + 19 Jun 2005; Bryan Østergaard <kloeri@gentoo.org> + sudo-1.6.8_p8-r3.ebuild: + Add ~alpha keyword. + + 18 Jun 2005; Jason Wever <weeve@gentoo.org> sudo-1.6.8_p8-r3.ebuild: + Added ~sparc keyword since someone dropped all the keywords :( + + 18 Jun 2005; Markus Rothe <corsair@gentoo.org> sudo-1.6.8_p8-r3.ebuild: + added ~ppc64 + + 17 Jun 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p8-r3.ebuild: + tighten sed syntax + + 16 Jun 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p8-r3.ebuild: + prevent binaries from being stripped if FEATURES=nostrip. + make tls_cacert synonymous with tls_cacertfile for consistency. + + 15 Jun 2005; Markus Rothe <corsair@gentoo.org> sudo-1.6.7_p5-r4.ebuild: + Stable on ppc64 + + 14 Jun 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p8-r3.ebuild: + include sudoers2ldif and README.LDAP + + 10 Jun 2005; Joseph Jezak <josejx@gentoo.org> sudo-1.6.7_p5-r4.ebuild: + Marked ppc stable. + + 09 Jun 2005; Tavis Ormandy <taviso@gentoo.org> files/sudoers, + sudo-1.6.8_p8-r3.ebuild: + add examples to sudoers + + 09 Jun 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p8-r3.ebuild: + nano should be the default editor. + + 09 Jun 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p8-r3.ebuild: + ROOTPATH does not contain /usr/local prefixed directories in recent + baselayout, add function to clean up duplicate entries and ensure /usr/local + is included. + + 08 Jun 2005; Rene Nussbaumer <killerfox@gentoo.org> + sudo-1.6.7_p5-r4.ebuild: + Stable on hppa. + +*sudo-1.6.8_p8-r3 (08 Jun 2005) + + 08 Jun 2005; <flame@gentoo.org> +sudo-1.6.8_p8-r3.ebuild: + Another new revision for this version which uses virtual/pam and + pamd_mimic_system to create the pamd file. Also marked ~amd64. + +*sudo-1.6.7_p5-r5 (08 Jun 2005) + + 08 Jun 2005; <flame@gentoo.org> +sudo-1.6.7_p5-r5.ebuild: + New revision bump to have it working on Gentoo/FreeBSD. + + 06 Jun 2005; Tavis Ormandy <taviso@gentoo.org> + -files/sudo-1.6.8_p1-suid_fix.patch, files/sudoers, sudo-1.6.8_p8-r2.ebuild: + remove stale patch. + + 06 Jun 2005; Gustavo Zacarias <gustavoz@gentoo.org> + sudo-1.6.7_p5-r4.ebuild: + Stable on sparc + + 06 Jun 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p8-r2.ebuild: + add some additional variables to blacklist from common interpreters. + please see coments in ebuild. + +*sudo-1.6.8_p8-r2 (06 Jun 2005) + + 06 Jun 2005; Tavis Ormandy <taviso@gentoo.org> +files/sudo-1.6.8_p8, + sudo-1.6.8_p8-r2.ebuild: + fix longstanding bug with insults and pam + timestamps. + + 06 Jun 2005; Tavis Ormandy <taviso@gentoo.org> + -files/sudo-strip-shellopts.diff, sudo-1.6.7_p5-r4.ebuild, + -sudo-1.6.8_p8-r1.ebuild: + add function to strip bad vars. + enable ldap support. + +*sudo-1.6.8_p8-r1 (05 Jun 2005) + + 05 Jun 2005; Tavis Ormandy <taviso@gentoo.org> + +files/sudo-strip-shellopts.diff, +sudo-1.6.7_p5-r4.ebuild, + +sudo-1.6.8_p8-r1.ebuild, -sudo-1.6.8_p8.ebuild: + start stripping shellopts as well. + also remove stale ebuilds. + + 05 Jun 2005; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.8_p8.ebuild: + enabling secure_path, which currently extracts the value from profile.env, + awaiting inspiration for a more robust solution. + This change is sure to generate some bug reports, but makes sense in the + long term if a nice solution can be found for determining the path. + + 20 May 2005; Diego Pettenò <flameeyes@gentoo.org> sudo-1.6.6.ebuild, + sudo-1.6.7_p5.ebuild, sudo-1.6.7_p5-r1.ebuild, sudo-1.6.7_p5-r2.ebuild, + sudo-1.6.7_p5-r3.ebuild, sudo-1.6.8_p1.ebuild, sudo-1.6.8_p1-r1.ebuild, + sudo-1.6.8_p1-r2.ebuild, sudo-1.6.8_p2.ebuild: + Using new pam eclass for newpamd/dopamd. + +*sudo-1.6.7_p5-r3 (28 Apr 2005) + + 28 Apr 2005; Diego Pettenò <flameeyes@gentoo.org> +files/sudo_include, + +sudo-1.6.7_p5-r3.ebuild: + Added new revision which depends on virtual/pam and uses the include + notation so that it works on non-linux-pam systems. + + 18 Dec 2004; Tavis Ormandy <taviso@gentoo.org> files/sudoers: + add suoders warnings + + 23 Nov 2004; Guy Martin <gmsoft@gentoo.org> sudo-1.6.7_p5-r2.ebuild: + Stable on hppa. + + 17 Nov 2004; Hardave Riar <hardave@gentoo.org> sudo-1.6.7_p5-r2.ebuild: + Stable on mips, bug #70838 + + 17 Nov 2004; Markus Rothe <corsair@gentoo.org> sudo-1.6.7_p5-r2.ebuild: + Stable on ppc64; bug #70838 + + 17 Nov 2004; Dylan Carlson <absinthe@gentoo.org> sudo-1.6.7_p5-r2.ebuild: + Stable on amd64. + + 17 Nov 2004; Gustavo Zacarias <gustavoz@gentoo.org> sudo-1.6.7_p5-r2.ebuild: + Stable on sparc wrt #70838 + + 17 Nov 2004; <SeJo@gentoo.org> sudo-1.6.7_p5-r2.ebuild: + stable on ppc: 70838 + + 17 Nov 2004; Bryan Østergaard <kloeri@gentoo.org> + sudo-1.6.7_p5-r2.ebuild: + Stable on alpha, bug 70838. + + 13 Nov 2004; Tavis Ormandy <taviso@gentoo.org> files/sudoers: + new release + +*sudo-1.6.8_p1-r2 (11 Nov 2004) + + 11 Nov 2004; Tavis Ormandy <taviso@gentoo.org> +files/sudoers, + +sudo-1.6.7_p5-r2.ebuild, +sudo-1.6.8_p1-r2.ebuild: + env_reset has been added to the Defaults in the default sudoers file. + +*sudo-1.6.8_p1-r1 (17 Sep 2004) + + 17 Sep 2004; Tavis Ormandy <taviso@gentoo.org> + +files/sudo-skeychallengeargs.diff, sudo-1.6.7_p5.ebuild, + +sudo-1.6.8_p1-r1.ebuild, sudo-1.6.8_p1.ebuild: + support for skey passwords #49040 + +*sudo-1.6.8_p1 (17 Sep 2004) + + 17 Sep 2004; Daniel Ahlberg <aliz@gentoo.org> sudo-1.6.8_p1.ebuild: + Version bump. + + 31 Jul 2004; <solar@gentoo.org> sudo-1.6.7_p5.ebuild: + gnuconfig update needed for atleast uclibc + + 01 Jun 2004; Tom Gall <tgall@gentoo.org> sudo-1.6.7_p5.ebuild: + stable on ppc64, bug #52705 + + 25 Apr 2004; Aron Griffis <agriffis@gentoo.org> sudo-1.6.6.ebuild, + sudo-1.6.7_p5.ebuild: + Add die following econf for bug 48950 + + 01 Apr 2004; Brian Jackson <iggy@gentoo.org> sudo-1.6.7_p5.ebuild: + add s390 to keywords + + 21 Mar 2004; Joshua Kinard <kumba@gentoo.org> sudo-1.6.7_p5.ebuild: + Marked stable on mips. + + 04 Nov 2003; Christian Birchinger <joker@gentoo.org> sudo-1.6.7_p5.ebuild: + Added sparc stable keyword + + 01 Oct 2003; Tavis Ormandy <taviso@gentoo.org> sudo-1.6.7_p5.ebuild: + Stable on alpha + +*sudo-1.6.7_p5 (19 May 2003) + + 30 Sep 2003; Joshua Kinard <kumba@gentoo.org> sudo-1.6.7_p5.ebuild: + Added ~mips to KEYWORDS + + 02 Jul 2003; Guy Martin <gmsoft@gentoo.org> sudo-1.6.7_p5.ebuild : + Marked stable on hppa. + + 19 May 2003; Daniel Ahlberg <aliz@gentoo.org> sudo-1.6.7_p5.ebuild : + Version bump. + + 05 Feb 2003; Martin Schlemmer <azarah@gentoo.org> $FILESDIR/sudo : + Update pam.d file to use system-auth via pam_stack.so. This + closes bug #15032. + + 01 Jan 2003; Aron Griffis <agriffis@gentoo.org> sudo-1.6.6.ebuild : + Added alpha to KEYWORDS + + 06 Dec 2002; Rodney Rees <manson@gentoo.org> : changed sparc ~sparc keywords + + 26 Apr 2002; Thilo Bangert <bangert@gentoo.org> : + added --with-env-editor so that EDITOR is respected when using visudo + +*sudo-1.6.6 (26 Apr 2002) + + 23 May 2003; Seemant Kulleen <seemant@gentoo.org> sudo-1.6.6.ebuild: + download location fixed + + 21 Mar 2003; Guy Martin <gmsoft@gentoo.org> sudo-1.6.6.ebuild : + Added hppa to KEYWORDS. + + 13 Mar 2003; Zach Welch <zwelch@gentoo.org> sudo-1.6.6.ebuild: + add arm keyword + + 15 Jul 2002; Owen Stampflee <owen@gentoo.org> : + + Added KEYWORDS. + + 26 Apr 2002; Thilo Bangert <bangert@gentoo.org> : + new security release + see http://online.securityfocus.com/advisories/4061 + + +*sudo-1.6.5_p2 (6 Mar 2002) + + 6 Mar 2002; Daniel Robbins <drobbins@gentoo.org> : new release, fixing + the "pam_setcred: permission denied" bug. Which is apparently a bug in + PAM itself? + + 10 Mar 2002; Bruce A. Locke <blocke@shivan.org> sudo-1.6.5_p2.ebuild : + + FAQ file is no longer in the upstream tarball + +*sudo-1.6.5_p1 (1 Feb 2002) + + 1 Feb 2002; G.Bevin <gbevin@gentoo.org> ChangeLog : + + Added initial ChangeLog which should be updated whenever the package is + updated in any way. This changelog is targetted to users. This means that the + comments should well explained and written in clean English. The details about + writing correct changelogs are explained in the skel.ChangeLog file which you + can find in the root directory of the portage repository. diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest new file mode 100644 index 0000000..66bd287 --- /dev/null +++ b/app-admin/sudo/Manifest @@ -0,0 +1,52 @@ +AUX patch.sudo-1.6.8p9.logging.c.diff 1539 RMD160 0bdfff8770e4937692f8dda82c2d64d3c59f161f SHA1 54872fdb93de5a4c684a380f9a4a9525958526ec SHA256 1ac8e7886c75b4f54100035dd7cee2e031cda788ec746fcac30142a0cb0b9342 +MD5 bf5f954aab3b201f426037dbc4736932 files/patch.sudo-1.6.8p9.logging.c.diff 1539 +RMD160 0bdfff8770e4937692f8dda82c2d64d3c59f161f files/patch.sudo-1.6.8p9.logging.c.diff 1539 +SHA256 1ac8e7886c75b4f54100035dd7cee2e031cda788ec746fcac30142a0cb0b9342 files/patch.sudo-1.6.8p9.logging.c.diff 1539 +AUX sudo 223 RMD160 4bc9a3e5d2dfd73bb1f14e5bad3b644ba80758d3 SHA1 fa6377c699ff2061c77cb87737fa2b4aaa8e8b9f SHA256 3f8dae2c663ed62bbe19e9b3e24f0e206fd1a4929bbafdff2e577e1aed9f2b58 +MD5 6c08a6d5527a45278ebc165df7f0031d files/sudo 223 +RMD160 4bc9a3e5d2dfd73bb1f14e5bad3b644ba80758d3 files/sudo 223 +SHA256 3f8dae2c663ed62bbe19e9b3e24f0e206fd1a4929bbafdff2e577e1aed9f2b58 files/sudo 223 +AUX sudo-1.6.8_p12-ssh_client.diff 1815 RMD160 1ec5b9858bceee2292dd88167eb8e3760b46da2b SHA1 f54690102a0e669a34089acf2d0c37d4dd86ae67 SHA256 4d51ab9e7de3a6b5d222e4de2ec1eb3a17d35abbbf4182fc36d8b3d91c5b8bfc +MD5 f36728e36becc85e414f0913c64c6332 files/sudo-1.6.8_p12-ssh_client.diff 1815 +RMD160 1ec5b9858bceee2292dd88167eb8e3760b46da2b files/sudo-1.6.8_p12-ssh_client.diff 1815 +SHA256 4d51ab9e7de3a6b5d222e4de2ec1eb3a17d35abbbf4182fc36d8b3d91c5b8bfc files/sudo-1.6.8_p12-ssh_client.diff 1815 +AUX sudo-1.6.8_p8-ldap-tls_cacert.diff 542 RMD160 cff54e31749796f732ce176b568797999325715e SHA1 3e7e493055998034d2b5a91160041e93d2246556 SHA256 2bc04b2b3ccd20f0ca545b74ca7ac68b708a1852af2fe2c620e78a92a45c2b23 +MD5 4a46750ff53c19dbfed39d894dd6ff4d files/sudo-1.6.8_p8-ldap-tls_cacert.diff 542 +RMD160 cff54e31749796f732ce176b568797999325715e files/sudo-1.6.8_p8-ldap-tls_cacert.diff 542 +SHA256 2bc04b2b3ccd20f0ca545b74ca7ac68b708a1852af2fe2c620e78a92a45c2b23 files/sudo-1.6.8_p8-ldap-tls_cacert.diff 542 +AUX sudo-ldap_timelimit.diff 2550 RMD160 b34a41e3fc4016ff182ed1800e0f1b0f82d3bfdf SHA1 c3c15eea9cf2e552010e27d0282246fa770d2fae SHA256 fc6eedb3435edbf5ccfcd5f62d8f31a78bf01afbb519c6b40bbe1329d82d6cea +MD5 2a601951e4e5d6bdafc31b223737ddf5 files/sudo-ldap_timelimit.diff 2550 +RMD160 b34a41e3fc4016ff182ed1800e0f1b0f82d3bfdf files/sudo-ldap_timelimit.diff 2550 +SHA256 fc6eedb3435edbf5ccfcd5f62d8f31a78bf01afbb519c6b40bbe1329d82d6cea files/sudo-ldap_timelimit.diff 2550 +AUX sudo-skeychallengeargs.diff 567 RMD160 906ee43a7c2f21d1cf5130eac5c98ef0833154fd SHA1 b0efbedc72a1ed85c74ba10e343a68368e76c3e9 SHA256 dd2f4fdba26be6c3b4af15f3b6e18efa19375e1f9c579cdc2c76ee1adcce5e1d +MD5 0b50aabedf9bb326893b5f1c333e46b2 files/sudo-skeychallengeargs.diff 567 +RMD160 906ee43a7c2f21d1cf5130eac5c98ef0833154fd files/sudo-skeychallengeargs.diff 567 +SHA256 dd2f4fdba26be6c3b4af15f3b6e18efa19375e1f9c579cdc2c76ee1adcce5e1d files/sudo-skeychallengeargs.diff 567 +AUX sudoers 1645 RMD160 f8bf0fe8bd5d1f02cf62438871a1662ad40c9f6f SHA1 73faccf4baf8c136809b3f5c749997e2a16d5e6c SHA256 dfee348e1c5fc745656a24cb6f5e813a08e69e30a8ebf9b9a74a59cc36e5b7ea +MD5 59acf8b0292a8e60b5277b5dc952cfc4 files/sudoers 1645 +RMD160 f8bf0fe8bd5d1f02cf62438871a1662ad40c9f6f files/sudoers 1645 +SHA256 dfee348e1c5fc745656a24cb6f5e813a08e69e30a8ebf9b9a74a59cc36e5b7ea files/sudoers 1645 +DIST sudo-1.6.8p12.tar.gz 585643 RMD160 d7ff9f18ca0973615258c2e975300b94567451d5 SHA1 a79631e9e1c0d0d3f2aa88ae685628e5fde61982 SHA256 56f7d86032538a4a98d90af3742903a09ba16d6db82b593e4a47605f87fa581a +DIST sudo-1.6.8p9.tar.gz 585509 RMD160 c1c719504476ab9ac11e0421716d149120463e33 SHA1 f264d1ad9f197920f2e69614db7935b35ca51672 SHA256 68f5b3e4f5572d816cf4d23616432286da7ba96ac58c17fef23046f12c88f440 +EBUILD sudo-1.6.8_p12-r1.ebuild 6677 RMD160 9698b52734c6072dd0e4730c23100a9afb9e337a SHA1 d495be52dc0a0de5507030bff24dbe7463983438 SHA256 e34c5a7313b4ee81f34b3439b612d8ae614ba22153d267785cc5e234376455ec +MD5 77f8831c9b20feaa083913d6adbe450e sudo-1.6.8_p12-r1.ebuild 6677 +RMD160 9698b52734c6072dd0e4730c23100a9afb9e337a sudo-1.6.8_p12-r1.ebuild 6677 +SHA256 e34c5a7313b4ee81f34b3439b612d8ae614ba22153d267785cc5e234376455ec sudo-1.6.8_p12-r1.ebuild 6677 +EBUILD sudo-1.6.8_p9-r2.ebuild 6952 RMD160 aefe17dda3f4f8f7b422dd7296924b693329c057 SHA1 b8f2bf3c083bec019fe3fa78876c335b673fa56f SHA256 b092cf983a5460aafe51f5e630c7858568856ce4aeb2a8977c636ac7d1a639ed +MD5 107f24d80634d477cab72f166f7bd098 sudo-1.6.8_p9-r2.ebuild 6952 +RMD160 aefe17dda3f4f8f7b422dd7296924b693329c057 sudo-1.6.8_p9-r2.ebuild 6952 +SHA256 b092cf983a5460aafe51f5e630c7858568856ce4aeb2a8977c636ac7d1a639ed sudo-1.6.8_p9-r2.ebuild 6952 +MISC ChangeLog 11792 RMD160 9f6c04c00a6a316a70fd4fad90f3f362cda33de2 SHA1 6acb35552cae34437433f9dc1ae21ba4c079a5dc SHA256 a4e4d2b9ac935f73fe0f67d9ed74d11d64176ee92b151ae6ad09e2a6f32b6738 +MD5 5e37a4454e2a52fcd347893baf9828fa ChangeLog 11792 +RMD160 9f6c04c00a6a316a70fd4fad90f3f362cda33de2 ChangeLog 11792 +SHA256 a4e4d2b9ac935f73fe0f67d9ed74d11d64176ee92b151ae6ad09e2a6f32b6738 ChangeLog 11792 +MISC metadata.xml 561 RMD160 04a154038f02ff778d7f668490c262b240187904 SHA1 b02c76e80af1c07aed2293c90f1285edbef7de0b SHA256 d28efd1ec2116064d019539bebd0d6f8efbe7ed04c2ae5ddc99cbc8b6bef2495 +MD5 4e3ab49065539b5aa4d3153261b5d687 metadata.xml 561 +RMD160 04a154038f02ff778d7f668490c262b240187904 metadata.xml 561 +SHA256 d28efd1ec2116064d019539bebd0d6f8efbe7ed04c2ae5ddc99cbc8b6bef2495 metadata.xml 561 +MD5 7b636eeeaa97990ecc5cd03fd171b207 files/digest-sudo-1.6.8_p12-r1 241 +RMD160 33be8312a07a9e926e1bc227c922d6078b18de47 files/digest-sudo-1.6.8_p12-r1 241 +SHA256 f3e327aa5ab8f92d8c3fd64df89d3d2cbde40e85e1d49873d03f105033755617 files/digest-sudo-1.6.8_p12-r1 241 +MD5 22f392e9685a8c5d5ef4667b7bb5d6ea files/digest-sudo-1.6.8_p9-r2 238 +RMD160 0ee0d452db676cc2e3e21c2b18d5f2bfd0bd012c files/digest-sudo-1.6.8_p9-r2 238 +SHA256 ffd8cbc37d836a37eb84dd49d7bc538df5a2a6b02972d5dd8f94d31496d109fa files/digest-sudo-1.6.8_p9-r2 238 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p11 b/app-admin/sudo/files/digest-sudo-1.6.8_p11 new file mode 100644 index 0000000..a0e605f --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p11 @@ -0,0 +1 @@ +MD5 2b4dbbcec2865adbe12c5693097a6d2c sudo-1.6.8p11.tar.gz 585581 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p12 b/app-admin/sudo/files/digest-sudo-1.6.8_p12 new file mode 100644 index 0000000..b0063e9 --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p12 @@ -0,0 +1 @@ +MD5 b29893c06192df6230dd5f340f3badf5 sudo-1.6.8p12.tar.gz 585643 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 b/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 new file mode 100644 index 0000000..02e4692 --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p12-r1 @@ -0,0 +1,3 @@ +MD5 b29893c06192df6230dd5f340f3badf5 sudo-1.6.8p12.tar.gz 585643 +RMD160 d7ff9f18ca0973615258c2e975300b94567451d5 sudo-1.6.8p12.tar.gz 585643 +SHA256 56f7d86032538a4a98d90af3742903a09ba16d6db82b593e4a47605f87fa581a sudo-1.6.8p12.tar.gz 585643 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p9 b/app-admin/sudo/files/digest-sudo-1.6.8_p9 new file mode 100644 index 0000000..0629e17 --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p9 @@ -0,0 +1 @@ +MD5 6d0346abd16914956bc7ea4f17fc85fb sudo-1.6.8p9.tar.gz 585509 diff --git a/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 b/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 new file mode 100644 index 0000000..89fdc9a --- /dev/null +++ b/app-admin/sudo/files/digest-sudo-1.6.8_p9-r2 @@ -0,0 +1,3 @@ +MD5 6d0346abd16914956bc7ea4f17fc85fb sudo-1.6.8p9.tar.gz 585509 +RMD160 c1c719504476ab9ac11e0421716d149120463e33 sudo-1.6.8p9.tar.gz 585509 +SHA256 68f5b3e4f5572d816cf4d23616432286da7ba96ac58c17fef23046f12c88f440 sudo-1.6.8p9.tar.gz 585509 diff --git a/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff b/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff new file mode 100644 index 0000000..be6da5c --- /dev/null +++ b/app-admin/sudo/files/patch.sudo-1.6.8p9.logging.c.diff @@ -0,0 +1,43 @@ +--- logging.b.c 2006-01-21 15:49:27.000000000 +0100 ++++ logging.c 2006-01-21 18:47:05.000000000 +0100 +@@ -301,9 +301,9 @@ + else + message = "unknown error ; "; + +- easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s", ++ easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s ; SSH_CLIENT=%s", + message, user_tty, user_cwd, *user_runas, user_cmnd, +- user_args ? " " : "", user_args ? user_args : ""); ++ user_args ? " " : "", user_args ? user_args : "", user_ssh_client ? user_ssh_client : "" ); + + mail_auth(status, logline); /* send mail based on status */ + +--- env.b.c 2005-02-06 16:37:01.000000000 +0100 ++++ env.c 2006-01-21 18:42:41.000000000 +0100 +@@ -183,6 +183,8 @@ + user_prompt = *ep + 12; + else if (strncmp("SUDO_USER=", *ep, 10) == 0) + prev_user = *ep + 10; ++ else if (strncmp("SSH_CLIENT=", *ep, 11) == 0) ++ user_ssh_client = *ep + 11; + continue; + case 'T': + if (strncmp("TZ=", *ep, 3) == 0) +--- sudo.b.h 2005-03-24 00:44:46.000000000 +0100 ++++ sudo.h 2006-01-21 18:51:34.000000000 +0100 +@@ -38,6 +38,7 @@ + struct stat *cmnd_stat; + char *path; + char *shell; ++ char *user_ssh_client; + char *tty; + char cwd[PATH_MAX]; + char *host; +@@ -127,6 +128,7 @@ + #define user_shell (sudo_user.shell) + #define user_tty (sudo_user.tty) + #define user_cwd (sudo_user.cwd) ++#define user_ssh_client (sudo_user.user_ssh_client) + #define user_runas (sudo_user.runas) + #define user_cmnd (sudo_user.cmnd) + #define user_args (sudo_user.cmnd_args) diff --git a/app-admin/sudo/files/sudo b/app-admin/sudo/files/sudo new file mode 100644 index 0000000..8fc562d --- /dev/null +++ b/app-admin/sudo/files/sudo @@ -0,0 +1,6 @@ +#%PAM-1.0 + +auth required pam_stack.so service=system-auth +account required pam_stack.so service=system-auth +password required pam_stack.so service=system-auth +session required pam_stack.so service=system-auth diff --git a/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff b/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff new file mode 100644 index 0000000..540ee74 --- /dev/null +++ b/app-admin/sudo/files/sudo-1.6.8_p12-ssh_client.diff @@ -0,0 +1,46 @@ +diff -uNr -r sudo-1.6.8p12-orig/env.c sudo-1.6.8p12/env.c +--- sudo-1.6.8p12-orig/env.c 2007-03-04 18:32:36.000000000 +0100 ++++ sudo-1.6.8p12/env.c 2007-03-04 18:32:06.000000000 +0100 +@@ -200,6 +200,8 @@ + user_prompt = *ep + 12; + else if (strncmp("SUDO_USER=", *ep, 10) == 0) + prev_user = *ep + 10; ++ else if (strncmp("SSH_CLIENT=", *ep, 11) == 0) ++ user_ssh_client = *ep + 11; + continue; + case 'T': + if (strncmp("TZ=", *ep, 3) == 0) +diff -uNr -r sudo-1.6.8p12-orig/logging.c sudo-1.6.8p12/logging.c +--- sudo-1.6.8p12-orig/logging.c 2004-05-17 22:08:46.000000000 +0200 ++++ sudo-1.6.8p12/logging.c 2007-03-04 18:32:06.000000000 +0100 +@@ -301,9 +301,9 @@ + else + message = "unknown error ; "; + +- easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s", ++ easprintf(&logline, "%sTTY=%s ; PWD=%s ; USER=%s ; COMMAND=%s%s%s ; SSH_CLIENT=%s", + message, user_tty, user_cwd, *user_runas, user_cmnd, +- user_args ? " " : "", user_args ? user_args : ""); ++ user_args ? " " : "", user_args ? user_args : "", user_ssh_client ? user_ssh_client : "" ); + + mail_auth(status, logline); /* send mail based on status */ + +diff -uNr -r sudo-1.6.8p12-orig/sudo.h sudo-1.6.8p12/sudo.h +--- sudo-1.6.8p12-orig/sudo.h 2005-03-24 00:44:46.000000000 +0100 ++++ sudo-1.6.8p12/sudo.h 2007-03-04 18:32:06.000000000 +0100 +@@ -38,6 +38,7 @@ + struct stat *cmnd_stat; + char *path; + char *shell; ++ char *user_ssh_client; + char *tty; + char cwd[PATH_MAX]; + char *host; +@@ -127,6 +128,7 @@ + #define user_shell (sudo_user.shell) + #define user_tty (sudo_user.tty) + #define user_cwd (sudo_user.cwd) ++#define user_ssh_client (sudo_user.user_ssh_client) + #define user_runas (sudo_user.runas) + #define user_cmnd (sudo_user.cmnd) + #define user_args (sudo_user.cmnd_args) diff --git a/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff b/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff new file mode 100644 index 0000000..bb2570e --- /dev/null +++ b/app-admin/sudo/files/sudo-1.6.8_p8-ldap-tls_cacert.diff @@ -0,0 +1,10 @@ +--- ldap.c.orig 2005-06-16 22:55:41.047152568 +0100 ++++ ldap.c 2005-06-16 22:56:49.707714576 +0100 +@@ -539,6 +539,7 @@ + else MATCH_S("ssl", ldap_conf.ssl) + else MATCH_B("tls_checkpeer", ldap_conf.tls_checkpeer) + else MATCH_S("tls_cacertfile", ldap_conf.tls_cacertfile) ++ else MATCH_S("tls_cacert", ldap_conf.tls_cacertfile) + else MATCH_S("tls_cacertdir", ldap_conf.tls_cacertdir) + else MATCH_S("tls_randfile", ldap_conf.tls_random_file) + else MATCH_S("tls_ciphers", ldap_conf.tls_cipher_suite) diff --git a/app-admin/sudo/files/sudo-ldap_timelimit.diff b/app-admin/sudo/files/sudo-ldap_timelimit.diff new file mode 100644 index 0000000..2c13ba4 --- /dev/null +++ b/app-admin/sudo/files/sudo-ldap_timelimit.diff @@ -0,0 +1,76 @@ +diff -urN sudo-1.6.8p8/ldap.c sudo-1.6.8p8-patched/ldap.c +--- sudo-1.6.8p8/ldap.c 2004-12-01 03:28:46.000000000 +0000 ++++ sudo-1.6.8p8-patched/ldap.c 2005-06-22 08:14:59.000000000 +0000 +@@ -82,6 +82,8 @@ + char *bindpw; + char *base; + char *ssl; ++ int bind_timelimit; ++ int timelimit; + int tls_checkpeer; + char *tls_cacertfile; + char *tls_cacertdir; +@@ -545,6 +547,8 @@ + else MATCH_S("tls_cert", ldap_conf.tls_certfile) + else MATCH_S("tls_key", ldap_conf.tls_keyfile) + else MATCH_I("ldap_version", ldap_conf.version) ++ else MATCH_I("bind_timelimit", ldap_conf.bind_timelimit) ++ else MATCH_I("timelimit", ldap_conf.timelimit) + else MATCH_S("uri", ldap_conf.uri) + else MATCH_S("binddn", ldap_conf.binddn) + else MATCH_S("bindpw", ldap_conf.bindpw) +@@ -566,6 +570,8 @@ + if (!ldap_conf.version) ldap_conf.version=3; + if (!ldap_conf.port) ldap_conf.port=389; + if (!ldap_conf.host) ldap_conf.host=estrdup("localhost"); ++ if (!ldap_conf.bind_timelimit) ldap_conf.bind_timelimit=30; ++ if (!ldap_conf.timelimit) ldap_conf.timelimit=30; + + + if (ldap_conf.debug>1) { +@@ -589,6 +595,10 @@ + ldap_conf.binddn : "(anonymous)"); + printf("bindpw %s\n", ldap_conf.bindpw ? + ldap_conf.bindpw : "(anonymous)"); ++ printf("bind_timelimit %d\n", ldap_conf.bind_timelimit ? ++ ldap_conf.bind_timelimit : 30); ++ printf("timelimit %d\n", ldap_conf.timelimit ? ++ ldap_conf.timelimit : 30); + #ifdef HAVE_LDAP_START_TLS_S + printf("ssl %s\n", ldap_conf.ssl ? + ldap_conf.ssl : "(no)"); +@@ -772,6 +782,34 @@ + } + #endif /* LDAP_OPT_X_TLS_REQUIRE_CERT */ + ++ /* setup timelimit options */ ++ ++SET_OPTI(LDAP_OPT_TIMELIMIT, "TIMELIMIT", timelimit); ++ ++#ifdef LDAP_X_OPT_CONNECT_TIMEOUT ++ int timeout; ++ timeout = ldap_conf.bind_timelimit * 1000; ++ ++ SET_OPTI(LDAP_X_OPT_CONNECT_TIMEOUT, "X_OPT_CONNECT_TIMEOUT", timeout); ++#endif ++ ++#ifdef LDAP_OPT_NETWORK_TIMEOUT ++ if (ldap_conf.debug>1) fprintf(stderr, "setting bind_timelimit to %d\n", \ ++ ldap_conf.bind_timelimit); ++ ++ struct timeval tv; ++ ++ tv.tv_sec = ldap_conf.bind_timelimit; ++ tv.tv_usec = 0; ++ ++ rc = ldap_set_option (ld, LDAP_OPT_NETWORK_TIMEOUT, &tv); ++ ++ if (rc != LDAP_OPT_SUCCESS) { ++ fprintf(stderr, "bind_timelimit ldap_set_option failed: %s\n", ldap_err2string(rc)); ++ return VALIDATE_ERROR; ++ } ++#endif ++ + /* attempt connect */ + #ifdef HAVE_LDAP_INITIALIZE + if (ldap_conf.uri) { diff --git a/app-admin/sudo/files/sudo-skeychallengeargs.diff b/app-admin/sudo/files/sudo-skeychallengeargs.diff new file mode 100644 index 0000000..3c90cfa --- /dev/null +++ b/app-admin/sudo/files/sudo-skeychallengeargs.diff @@ -0,0 +1,15 @@ +--- sudo-1.6.7p5/auth/rfc1938.c 2003-04-16 01:39:15.000000000 +0100 ++++ sudo-1.6.7p5/auth/rfc1938.c.new 2004-09-17 20:01:00.996902672 +0100 +@@ -64,11 +64,7 @@ + #if defined(HAVE_SKEY) + # include <skey.h> + # define RFC1938 skey +-# ifdef __NetBSD__ +-# define rfc1938challenge(a,b,c,d) skeychallenge((a),(b),(c),(d)) +-# else +-# define rfc1938challenge(a,b,c,d) skeychallenge((a),(b),(c)) +-# endif ++# define rfc1938challenge(a,b,c,d) skeychallenge((a),(b),(c),(d)) + # define rfc1938verify(a,b) skeyverify((a),(b)) + #elif defined(HAVE_OPIE) + # include <opie.h> diff --git a/app-admin/sudo/files/sudoers b/app-admin/sudo/files/sudoers new file mode 100644 index 0000000..4642d50 --- /dev/null +++ b/app-admin/sudo/files/sudoers @@ -0,0 +1,55 @@ +# sudoers file. +# +# This file MUST be edited with the 'visudo' command as root. +# +# See the sudoers man page for the details on how to write a sudoers file. +# + +# Host alias specification + +# User alias specification + +# Cmnd alias specification + +# Defaults specification + +# Reset environment by default +Defaults env_reset + +# Uncomment to allow users in group wheel to export variables +# Defaults:%wheel !env_reset + +# Allow users in group users to export specific variables +# Defaults:%users env_keep=TZ + +# Allow specific user to bypass env_delete for TERMCAP +# Defaults:user env_delete-=TERMCAP + +# Set default EDITOR to vi, and do not allow visudo to use EDITOR/VISUAL. +# Defaults editor=/usr/bin/vim, !env_editor + +# Runas alias specification + +# *** REMEMBER *************************************************** +# * GIVING SUDO ACCESS TO USERS ALLOWS THEM TO RUN THE SPECIFIED * +# * COMMANDS WITH ELEVATED PRIVILEGES. * +# * * +# * NEVER PERMIT UNTRUSTED USERS TO ACCESS SUDO. * +# **************************************************************** + +# User privilege specification +root ALL=(ALL) ALL + +# Uncomment to allow people in group wheel to run all commands +# %wheel ALL=(ALL) ALL + +# Same thing without a password +# %wheel ALL=(ALL) NOPASSWD: ALL + +# Users in group www are allowed to edit httpd.conf and ftpd.conf +# using sudoedit, or sudo -e, without a password. +# %www ALL=(ALL) NOPASSWD: sudoedit /etc/httpd.conf, /etc/ftpd.conf + +# Samples +# %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom +# %users localhost=/sbin/shutdown -h now diff --git a/app-admin/sudo/metadata.xml b/app-admin/sudo/metadata.xml new file mode 100644 index 0000000..364628b --- /dev/null +++ b/app-admin/sudo/metadata.xml @@ -0,0 +1,15 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd"> +<pkgmetadata> +<herd>no-herd</herd> +<maintainer> + <email>taviso@gentoo.org</email> +</maintainer> +<maintainer> + <email>lcars@gentoo.org</email> + <description>ldap support</description> +</maintainer> +<longdescription> +Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root or another user while logging the commands and arguments. +</longdescription> +</pkgmetadata> diff --git a/app-admin/sudo/sudo-1.6.8_p12-r1.ebuild b/app-admin/sudo/sudo-1.6.8_p12-r1.ebuild new file mode 100644 index 0000000..10d0a73 --- /dev/null +++ b/app-admin/sudo/sudo-1.6.8_p12-r1.ebuild @@ -0,0 +1,202 @@ +# Copyright 1999-2007 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.6.8_p12-r1.ebuild,v 1.12 2007/03/04 13:00:59 ticho Exp $ + +inherit eutils pam flag-o-matic + +# TODO: Fix support for krb4 and krb5 + +DESCRIPTION="Allows users or groups to run commands as other users" +HOMEPAGE="http://www.sudo.ws/" +SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${P/_/}.tar.gz" +LICENSE="Sudo" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc ~sparc-fbsd x86 ~x86-fbsd" +IUSE="pam skey offensive ldap selinux" + +DEPEND="pam? ( || ( virtual/pam sys-libs/pam ) ) + ldap? ( >=net-nds/openldap-2.1.30-r1 ) + skey? ( >=app-admin/skey-1.1.5-r1 ) + virtual/editor + virtual/mta" +RDEPEND="selinux? ( sec-policy/selinux-sudo ) + ldap? ( dev-lang/perl ) + ${DEPEND}" +DEPEND="${RDEPEND} sys-devel/bison" + +S=${WORKDIR}/${P/_/} + +src_unpack() { + unpack ${A}; cd ${S} + + # patch falco pour les logs et pam + epatch ${FILESDIR}/${P}-ssh_client.diff + + # ldap failover patch + epatch ${FILESDIR}/${PN}-ldap_timelimit.diff + + # compatability fix. + epatch ${FILESDIR}/${PN}-skeychallengeargs.diff + + # make tls_cacert synonymous with tls_cacertfile. + epatch ${FILESDIR}/${PN}-1.6.8_p8-ldap-tls_cacert.diff + + # additional variables to disallow, should user disable env_reset. + + # NOTE: this is not a supported mode of operation, these variables + # are added to the blacklist as a convenience to administrators + # who fail to heed the warnings of allowing untrusted users + # to access sudo. + # + # there is *no possible way* to foresee all attack vectors in + # all possible applications that could potentially be used via + # sudo, these settings will just delay the inevitable. + # + # that said, I will accept suggestions for variables that can + # be misused in _common_ interpreters or libraries, such as + # perl, bash, python, ruby, etc., in the hope of dissuading + # a casual attacker. + + # XXX: perl should be using suid_perl. + # XXX: users can remove/add more via env_delete and env_check. + # XXX: <?> = probably safe enough for most circumstances. + + einfo "Blacklisting common variables (env_delete)..." + sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file. + sudo_bad_var 'FPATH' # ksh, search path for functions. + sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?> + sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?> +# sudo_bad_var 'TMPPREFIX' # zsh, prefix for tmp files. <?> + sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?> + sudo_bad_var 'PYTHONHOME' # python, module search path. + sudo_bad_var 'PYTHONPATH' # python, search path. + sudo_bad_var 'PYTHONINSPECT' # python, allow inspection. + sudo_bad_var 'RUBYLIB' # ruby, lib load path. + sudo_bad_var 'RUBYOPT' # ruby, cl options. +# sudo_bad_var 'RUBYPATH' # ruby, script search path. <?> + sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles. + einfo "...done." + + # prevent binaries from being stripped. + sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in +} + +src_compile() { + local line ROOTPATH + + # FIXME: secure_path is a compile time setting. using ROOTPATH + # is not perfect, env-update may invalidate this, but until it + # is available as a sudoers setting this will have to do. + einfo "Setting secure_path..." + + # why not use grep? variable might be expanded from other variables + # declared in that file. cannot just source the file, would override + # any variables already set. + eval `PS4= bash -x /etc/profile.env 2>&1 | \ + while read line; do + case $line in + ROOTPATH=*) echo $line; break;; + *) continue;; + esac + done` && einfo " Found ROOTPATH..." || \ + ewarn " Failed to find ROOTPATH, please report this." + + # remove any duplicate entries + ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}}) + + # strip gcc path (bug #136027) + rmpath ROOTPATH '*/gcc-bin/*' + + einfo "...done." + + # XXX: --disable-path-info closes an info leak, but may be confusing. + # XXX: /bin/vi may not be available, make nano visudo's default. + econf --with-secure-path="${ROOTPATH}" \ + --with-editor=/bin/nano \ + --with-env-editor \ + $(use_with offensive insults) \ + $(use_with offensive all-insults) \ + $(use_with pam) \ + $(use_with skey) \ + $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \ + $(use_with ldap) || die + + # disallow lazy bindings + emake SUDO_LDFLAGS="$(bindnow-flags)" || die +} + +src_install() { + einstall || die + dodoc BUGS CHANGES HISTORY PORTING README RUNSON TODO \ + TROUBLESHOOTING UPGRADE sample.* + + if use ldap; then + dodoc README.LDAP + dosbin sudoers2ldif + + printf "# See ldap.conf(5) and README.LDAP for details\n" > ${T}/ldap.conf.sudo + printf "# This file should only be readable by root\n\n" >> ${T}/ldap.conf.sudo + printf "# supported directives: host, port, ssl, ldap_version\n" >> ${T}/ldap.conf.sudo + printf "# uri, binddn, bindpw, sudoers_base, sudoers_debug\n" >> ${T}/ldap.conf.sudo + printf "# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}\n" >> ${T}/ldap.conf.sudo + + insinto /etc + doins ${T}/ldap.conf.sudo + fperms 0440 /etc/ldap.conf.sudo + fi + + if has_version virtual/pam; then + pamd_mimic_system sudo auth account password session + else + dopamd ${FILESDIR}/sudo + fi + + insinto /etc + doins ${FILESDIR}/sudoers + fperms 0440 /etc/sudoers +} + +# remove duplicate path entries from $1 +cleanpath() { + local i=1 x n IFS=: + local -a paths; paths=($1) + + for ((n=${#paths[*]}-1;i<=n;i++)); do + for ((x=0;x<i;x++)); do + test "${paths[i]}" == "${paths[x]}" && { + einfo " Duplicate entry ${paths[i]} removed..." 1>&2 + unset paths[i]; continue 2; } + done; # einfo " Adding ${paths[i]}..." 1>&2 + done; echo "${paths[*]}" +} + +# add $1 to default env_delete list. +sudo_bad_var() { + local target='env.c' marker='\*initial_badenv_table\[\]' + + ebegin " $1" + sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' ${S}/${target} + eend $? +} + +rmpath() { + declare e newpath oldpath=${!1} PATHvar=$1 thisp IFS=: + shift + for thisp in $oldpath; do + for e; do [[ $thisp == $e ]] && continue 2; done + newpath=$newpath:$thisp + done + eval $PATHvar='${newpath#:}' +} + +pkg_postinst() { + use skey && use pam && { + ewarn "sudo will not use skey authentication when compiled with" + ewarn "pam support." + ewarn "To allow users to authenticate with one time passwords," + ewarn "you should unset the pam USE flag for sudo." + } + use ldap && { + ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration." + } +} diff --git a/app-admin/sudo/sudo-1.6.8_p9-r2.ebuild b/app-admin/sudo/sudo-1.6.8_p9-r2.ebuild new file mode 100644 index 0000000..dded346 --- /dev/null +++ b/app-admin/sudo/sudo-1.6.8_p9-r2.ebuild @@ -0,0 +1,199 @@ +# Copyright 1999-2005 Gentoo Foundation +# Distributed under the terms of the GNU General Public License v2 +# $Header: /var/cvsroot/gentoo-x86/app-admin/sudo/sudo-1.6.8_p9-r2.ebuild,v 1.14 2005/11/24 18:33:48 corsair Exp $ + +inherit eutils pam + +# TODO: Fix support for krb4 and krb5 + +DESCRIPTION="Allows users or groups to run commands as other users" +HOMEPAGE="http://www.sudo.ws/" +SRC_URI="ftp://ftp.sudo.ws/pub/sudo/${P/_/}.tar.gz" +LICENSE="Sudo" +SLOT="0" +KEYWORDS="alpha amd64 arm hppa ia64 m68k mips ppc ppc64 s390 sh sparc x86" +IUSE="pam skey offensive ldap selinux" + +DEPEND="pam? ( || ( virtual/pam sys-libs/pam ) ) + ldap? ( >=net-nds/openldap-2.1.30-r1 ) + skey? ( >=app-admin/skey-1.1.5-r1 ) + sys-devel/bison + virtual/editor + virtual/mta" +RDEPEND="selinux? ( sec-policy/selinux-sudo ) + ldap? ( dev-lang/perl ) + ${DEPEND}" + +S=${WORKDIR}/${P/_/} + +src_unpack() { + unpack ${A}; cd ${S} + + # patch falco + epatch ${FILESDIR}/patch.sudo-1.6.8p9.logging.c.diff + + # ldap failover patch + epatch ${FILESDIR}/${PN}-ldap_timelimit.diff + + # compatability fix. + epatch ${FILESDIR}/${PN}-skeychallengeargs.diff + + # make tls_cacert synonymous with tls_cacertfile. + epatch ${FILESDIR}/${PN}-1.6.8_p8-ldap-tls_cacert.diff + + # additional variables to disallow, should user disable env_reset. + + # NOTE: this is not a supported mode of operation, these variables + # are added to the blacklist as a convenience to administrators + # who fail to heed the warnings of allowing untrusted users + # to access sudo. + # + # there is *no possible way* to foresee all attack vectors in + # all possible applications that could potentially be used via + # sudo, these settings will just delay the inevitable. + # + # that said, I will accept suggestions for variables that can + # be misused in _common_ interpreters or libraries, such as + # perl, bash, python, ruby, etc., in the hope of dissuading + # a casual attacker. + + # XXX: perl should be using suid_perl. + # XXX: users can remove/add more via env_delete and env_check. + # XXX: <?> = probably safe enough for most circumstances. + + einfo "Blacklisting common variables (env_delete)..." + sudo_bad_var 'SHELLOPTS' # bash, change shoptions. + sudo_bad_var 'PERLIO_DEBUG' # perl, write debug to file. + sudo_bad_var 'PERL5LIB' # perl, change search path. + sudo_bad_var 'PERLLIB' # perl, change search path. +# sudo_bad_var 'PERL_HASH_SEED' # perl, change seed. <?> +# sudo_bad_var 'PERL_HASH_SEED_DEBUG' # perl, disclose seed. <?> +# sudo_bad_var 'PERL_SIGNALS' # perl, use deferred signals. <?> + sudo_bad_var 'FPATH' # ksh, search path for functions. + sudo_bad_var 'PS4' # sh, in case set -x is used. <?> + sudo_bad_var 'NULLCMD' # zsh, command on null-redir. <?> + sudo_bad_var 'READNULLCMD' # zsh, command on null-redir. <?> +# sudo_bad_var 'TMPPREFIX' # zsh, prefix for tmp files. <?> + sudo_bad_var 'GLOBIGNORE' # bash, glob paterns to ignore. <?> + sudo_bad_var 'PERL5OPT' # perl, set options. + sudo_bad_var 'PYTHONHOME' # python, module search path. + sudo_bad_var 'PYTHONPATH' # python, search path. + sudo_bad_var 'PYTHONINSPECT' # python, allow inspection. + sudo_bad_var 'RUBYLIB' # ruby, lib load path. + sudo_bad_var 'RUBYOPT' # ruby, cl options. +# sudo_bad_var 'RUBYPATH' # ruby, script search path. <?> + sudo_bad_var 'ZDOTDIR' # zsh, path to search for dotfiles. + einfo "...done." + + # prevent binaries from being stripped. + sed -i 's/\($(INSTALL).*\) -s \(.*[(sudo|visudo)]\)/\1 \2/g' Makefile.in +} + +src_compile() { + local line ROOTPATH + + # FIXME: secure_path is a compile time setting. using ROOTPATH + # is not perfect, env-update may invalidate this, but until it + # is available as a sudoers setting this will have to do. + einfo "Setting secure_path..." + + # why not use grep? variable might be expanded from other variables + # declared in that file. cannot just source the file, would override + # any variables already set. + eval `PS4= bash -x /etc/profile.env 2>&1 | \ + while read line; do + case $line in + ROOTPATH=*) echo $line; break;; + *) continue;; + esac + done` && einfo " Found ROOTPATH..." || \ + ewarn " Failed to find ROOTPATH, please report this." + + # remove any duplicate entries + ROOTPATH=$(cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${ROOTPATH:+:${ROOTPATH}}) + + einfo "...done." + + # XXX: --disable-path-info closes an info leak, but may be confusing. + # XXX: /bin/vi may not be available, make nano visudo's default. + econf --with-secure-path="/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin:/usr/i686-pc-linux-gnu/gcc-bin/3.4.4/" \ + --with-editor=/usr/bin/vim \ + --with-env-editor \ + --with-all-insults \ + --disable-path-info \ + $(use_with offensive insults) \ + $(use_with offensive all-insults) \ + $(use_with pam) \ + $(use_with skey) \ + $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) \ + $(use_with ldap) || die + + # disallow lazy bindings + emake SUDO_LDFLAGS="-Wl,-z,now" || die +} + +src_install() { + einstall || die + dodoc BUGS CHANGES HISTORY PORTING README RUNSON TODO \ + TROUBLESHOOTING UPGRADE sample.* + + if use ldap; then + dodoc README.LDAP + dosbin sudoers2ldif + + printf "# See ldap.conf(5) and README.LDAP for details\n" > ${T}/ldap.conf.sudo + printf "# This file should only be readable by root\n\n" >> ${T}/ldap.conf.sudo + printf "# supported directives: host, port, ssl, ldap_version\n" >> ${T}/ldap.conf.sudo + printf "# uri, binddn, bindpw, sudoers_base, sudoers_debug\n" >> ${T}/ldap.conf.sudo + printf "# tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}\n" >> ${T}/ldap.conf.sudo + + insinto /etc + doins ${T}/ldap.conf.sudo + fperms 0440 /etc/ldap.conf.sudo + fi + + if has_version virtual/pam; then + pamd_mimic_system sudo auth account password session + else + dopamd ${FILESDIR}/sudo + fi + + insinto /etc + doins ${FILESDIR}/sudoers + fperms 0440 /etc/sudoers +} + +# remove duplicate path entries from $1 +cleanpath() { + local i=1 x n IFS=: + local -a paths; paths=($1) + + for ((n=${#paths[*]}-1;i<=n;i++)); do + for ((x=0;x<i;x++)); do + test "${paths[i]}" == "${paths[x]}" && { + einfo " Duplicate entry ${paths[i]} removed..." 1>&2 + unset paths[i]; continue 2; } + done; # einfo " Adding ${paths[i]}..." 1>&2 + done; echo "${paths[*]}" +} + +# add $1 to default env_delete list. +sudo_bad_var() { + local target='env.c' marker='\*initial_badenv_table\[\]' + + ebegin " $1" + sed -i 's#\(^.*'${marker}'.*$\)#\1\n\t"'${1}'",#' ${S}/${target} + eend $? +} + +pkg_postinst() { + use skey && use pam && { + ewarn "sudo will not use skey authentication when compiled with" + ewarn "pam support." + ewarn "To allow users to authenticate with one time passwords," + ewarn "you should unset the pam USE flag for sudo." + } + use ldap && { + ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration." + } +} |