projects / debian / sudo / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge commit 'upstream/1.8.3p2'
[debian/sudo] / sudo.pp
1 %set
2         if test -n "$flavor"; then
3                 name="sudo-$flavor"
4                 pp_kit_package="sudo_$flavor"
5         else
6                 name="sudo"
7                 pp_kit_package="sudo"
8         fi
9         summary="Provide limited super-user privileges to specific users"
10         description="Sudo is a program designed to allow a sysadmin to give \
11 limited root privileges to users and log root activity.  \
12 The basic philosophy is to give as few privileges as possible but \
13 still allow people to get their work done."
14         vendor="Todd C. Miller"
15         copyright="(c) 1993-1996,1998-2011 Todd C. Miller"
16
17 %if [aix]
18         # AIX package summary is limited to 40 characters
19         summary="Configurable super-user privileges"
20
21         # Convert to 4 part version for AIX, including patch level
22         pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
23 %endif
24
25 %if [kit]
26         # Strip off patchlevel for kit which only supports xyz versions
27         pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/[^0-9][^0-9]*[0-9][0-9]*$//'`"
28         pp_kit_name="TCM"
29 %endif
30
31 %if [sd]
32         pp_sd_vendor_tag="TCM"
33 %endif
34
35 %if [solaris]
36         pp_solaris_name="TCM${name}"
37         pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
38 %endif
39
40 %if [rpm,deb]
41         # Convert patch level into release and remove from version
42         pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)' \| 0 \) + 1`"
43         pp_rpm_version="`expr $version : '\(.*\)p[0-9][0-9]*'`"
44         pp_rpm_license="BSD"
45         pp_rpm_url="http://www.sudo.ws/"
46         pp_rpm_group="Applications/System"
47         pp_rpm_packager="Todd.Miller@courtesan.com"
48         if test -n "$linux_audit"; then
49                 pp_rpm_requires="audit-libs >= $linux_audit"
50         fi
51
52         pp_deb_maintainer="$pp_rpm_packager"
53         pp_deb_release="$pp_rpm_release"
54         pp_deb_version="$pp_rpm_version"
55 %else
56         # For all but RPM and Debian we need to install sudoers with a different
57         # name and make a copy of it if there is no existing file.
58         mv ${pp_destdir}$sudoersdir/sudoers ${pp_destdir}$sudoersdir/sudoers.dist
59 %endif
60
61 %if [rpm]
62         # Add distro info to release
63         osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
64         case "$pp_rpm_distro" in
65         centos*|rhel*)
66                 pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
67                 ;;
68         sles*)
69                 pp_rpm_release="$pp_rpm_release.sles$osrelease"
70                 ;;
71         esac
72
73         # Uncomment some Defaults in sudoers
74         # Note that the order must match that of sudoers.
75         case "$pp_rpm_distro" in
76         centos*|rhel*)
77                 /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
78                 /Locale settings/+1,s/^# //
79                 /Desktop path settings/+1,s/^# //
80                 w
81                 q
82                 EOF
83                 ;;
84         sles*)
85                 /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
86                 /Locale settings/+1,s/^# //
87                 /ConsoleKit session/+1,s/^# //
88                 /allow any user to run sudo if they know the password/+2,s/^# //
89                 /allow any user to run sudo if they know the password/+3,s/^# //
90                 w
91                 q
92                 EOF
93                 ;;
94         esac
95
96         # For RedHat the doc dir is expected to include version and release
97         case "$pp_rpm_distro" in
98         centos*|rhel*)
99                 mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-${pp_rpm_release}
100                 docdir=${docdir}-${version}-${pp_rpm_release}
101                 ;;
102         esac
103
104         # Choose the correct PAM file by distro, must be tab indented for "<<-"
105         case "$pp_rpm_distro" in
106         centos*|rhel*)
107                 mkdir -p ${pp_destdir}/etc/pam.d
108                 if test $osrelease -lt 50; then
109                         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
110                         #%PAM-1.0
111                         auth       required     pam_stack.so service=system-auth
112                         account    required     pam_stack.so service=system-auth
113                         password   required     pam_stack.so service=system-auth
114                         session    required     pam_limits.so
115                         EOF
116                 else
117                         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
118                         #%PAM-1.0
119                         auth       include      system-auth
120                         account    include      system-auth
121                         password   include      system-auth
122                         session    optional     pam_keyinit.so revoke
123                         session    required     pam_limits.so
124                         EOF
125                         cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
126                         #%PAM-1.0
127                         auth       include      sudo
128                         account    include      sudo
129                         password   include      sudo
130                         session    optional     pam_keyinit.so force revoke
131                         session    required     pam_limits.so
132                         EOF
133                 fi
134                 ;;
135           sles*)
136                 mkdir -p ${pp_destdir}/etc/pam.d
137                 if test $osrelease -lt 10; then
138                         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
139                         #%PAM-1.0
140                         auth     required       pam_unix2.so
141                         session  required       pam_limits.so
142                         EOF
143                 else
144                         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
145                         #%PAM-1.0
146                         auth     include        common-auth
147                         account  include        common-account
148                         password include        common-password
149                         session  include        common-session
150                         # session  optional     pam_xauth.so
151                         EOF
152                 fi
153                 ;;
154         esac
155 %endif
156
157 %if [deb]
158         # Uncomment some Defaults and the %sudo rule in sudoers
159         # Note that the order must match that of sudoers and be tab-indented.
160         /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
161         /Locale settings/+1,s/^# //
162         /X11 resource/+1,s/^# //
163         /^# \%sudo/,s/^# //
164         w
165         q
166         EOF
167         mkdir -p ${pp_destdir}/etc/pam.d
168         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
169         #%PAM-1.0
170
171         @include common-auth
172         @include common-account
173
174         session required pam_permit.so
175         session required pam_limits.so
176         EOF
177 %endif
178
179         # OS-level directories that should generally exist but might not.
180         extradirs=`echo ${pp_destdir}/${mandir}/[mc]* | sed "s#${pp_destdir}/##g"`
181         extradirs="$extradirs `dirname $docdir` `dirname $timedir`"
182         test -d ${pp_destdir}/etc/pam.d && extradirs="${extradirs} /etc/pam.d"
183         for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do
184                 while test "$dir" != "/"; do
185                         osdirs="${osdirs}${osdirs+ }$dir/"
186                         dir=`dirname $dir`
187                 done
188         done
189         osdirs=`echo $osdirs | tr " " "\n" | sort -u`
190
191 %files
192         $osdirs                -
193         $bindir/sudo        4111 root:
194         $bindir/sudoedit    4111 root:
195         $sbindir/visudo     0111
196         $bindir/sudoreplay  0111
197         $includedir/sudo_plugin.h
198         $libexecdir/*           optional
199         $sudoersdir/sudoers.d/  0750 $sudoers_uid:$sudoers_gid
200         $timedir/               0700 root:
201         $docdir/
202         $docdir/*
203         $localedir/             optional
204         $localedir/**           optional
205         /etc/pam.d/*            volatile,optional
206 %if [rpm,deb]
207         $sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
208 %else
209         $sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
210 %endif
211
212 %files [!aix]
213         $mandir/man*/*
214
215 %files [aix]
216         # Some versions use catpages, some use manpages.
217         $mandir/cat*/* optional
218         $mandir/man*/* optional
219
220 %post [!rpm,deb]
221         # Don't overwrite an existing sudoers file
222         sudoersdir=%{sudoersdir}
223         if test ! -r $sudoersdir/sudoers; then
224                 cp $sudoersdir/sudoers.dist $sudoersdir/sudoers
225                 chmod %{sudoers_mode} $sudoersdir/sudoers
226                 chown %{sudoers_uid} $sudoersdir/sudoers
227                 chgrp %{sudoers_gid} $sudoersdir/sudoers
228         fi
229
230 %post [deb]
231         # dpkg-deb does not maintain the mode on the sudoers file, and
232         # installs it 0640 when sudo requires 0440
233         chmod %{sudoers_mode} %{sudoersdir}/sudoers
234
235         # create symlink to ease transition to new path for ldap config
236         # if old config file exists and new one doesn't
237         if test X"%{flavor}" = X"ldap" -a \
238             -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
239                 ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
240         fi
241
242         # Debian uses a sudo group in its default sudoers file
243         perl -e '
244                 exit 0 if getgrnam("sudo");
245                 $gid = 27; # default debian sudo gid
246                 setgrent();
247                 while (getgrgid($gid)) { $gid++; }
248                 if ($gid != 27) {
249                         print "On Debian we normally use gid 27 for \"sudo\".\n";
250                         $gname = getgrgid(27);
251                         print "However, on your system gid 27 is group \"$gname\".\n\n";
252                         print "Would you like me to stop configuring sudo so that you can change this? [n] "; 
253                         $ans = <STDIN>;
254                         if ($ans =~ /^[yY]/) {
255                                 print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
256                                 exit 1;
257                         }
258                 }
259                 print "Creating group \"sudo\" with gid = $gid\n";
260                 system("groupadd -g $gid sudo");
261                 exit 0;
262         '
263
264 %preun [deb]
265         # Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
266         # it matches what we created in the postinstall script.
267         if test X"%{flavor}" = X"ldap" -a \
268             X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
269                 rm -f /etc/sudo-ldap.conf
270         fi
Debian packaging of sudo