patch from Moritz Muehlenhoff to enable hardened build flags

[debian/sudo] / debian / rules

#!/usr/bin/make -f

export DH_VERBOSE=1

CFLAGS = `dpkg-buildflags --get CFLAGS`
CFLAGS += -Wall -Wno-comment
LDFLAGS = `dpkg-buildflags --get LDFLAGS`
CPPFLAGS = `dpkg-buildflags --get CPPFLAGS`

configure: configure-stamp
configure-stamp:
        dh_testdir
        cp -f /usr/share/misc/config.sub config.sub
        cp -f /usr/share/misc/config.guess config.guess

        # simple version
        mkdir -p build-simple
        cd build-simple && NROFFPROG=/usr/bin/nroff CFLAGS="$(CFLAGS)" \
            CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" $(CURDIR)/configure \
                --prefix=/usr -v \
                --with-all-insults \
                --with-pam \
                --with-fqdn \
                --with-logging=syslog \
                --with-logfac=authpriv \
                --with-env-editor \
                --with-editor=/usr/bin/editor \
                --with-timeout=15 \
                --with-password-timeout=0 \
                --with-passprompt="[sudo] password for %p: " \
                --disable-root-mailer \
                --with-sendmail=/usr/sbin/sendmail \
                --with-timedir=/var/lib/sudo \
                --mandir=/usr/share/man \
                --libexecdir=/usr/lib/sudo

        # LDAP version
        mkdir -p build-ldap
        cd build-ldap && NROFFPROG=/usr/bin/nroff CFLAGS="$(CFLAGS)" \
            CPPFLAGS="$(CPPFLAGS)" LDFLAGS="$(LDFLAGS)" $(CURDIR)/configure \
                --prefix=/usr -v \
                --with-all-insults \
                --with-pam \
                --with-ldap \
                --with-fqdn \
                --with-logging=syslog \
                --with-logfac=authpriv \
                --with-env-editor \
                --with-editor=/usr/bin/editor \
                --with-timeout=15 \
                --with-password-timeout=0 \
                --with-passprompt="[sudo] password for %p: " \
                --disable-root-mailer \
                --disable-setresuid \
                --with-sendmail=/usr/sbin/sendmail \
                --with-ldap-conf-file=/etc/sudo-ldap.conf \
                --mandir=/usr/share/man \
                --libexecdir=/usr/lib/sudo \
                --with-secure-path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin"

        touch configure-stamp

build: build-arch build-indep
build-arch: build-stamp
build-indep: build-stamp
build-stamp: configure-stamp
        dh_testdir

        # ensure our pod changes get picked up
        $(MAKE) -C doc sudoers.man.in sudo.man.in visudo.man.in

        $(MAKE) -C build-simple
        $(MAKE) -C build-ldap

        $(MAKE) -C build-simple check

        touch build-stamp

clean:
        dh_testdir
        dh_testroot
        rm -f configure-stamp build-stamp
        rm -rf build-simple build-ldap
        rm -f config.cache
        dh_clean

install: build-stamp
        dh_testdir
        dh_testroot
        dh_prep
        dh_installdirs

        $(MAKE) -C build-simple install DESTDIR=$(CURDIR)/debian/sudo
        $(MAKE) -C build-ldap   install DESTDIR=$(CURDIR)/debian/sudo-ldap

        # remove stuff we don't want
        rm -f   debian/sudo*/etc/sudoers \
                debian/sudo*/usr/share/doc/sudo/LICENSE* \
                debian/sudo*/usr/share/doc/sudo/ChangeLog

        # move upstream-installed docs to the right place for ldap package
        mv      debian/sudo-ldap/usr/share/doc/sudo/* \
                debian/sudo-ldap/usr/share/doc/sudo-ldap/
        rmdir   debian/sudo-ldap/usr/share/doc/sudo

        # move sample files to the examples folder
        mv      debian/sudo/usr/share/doc/sudo/sample.* \
                debian/sudo/usr/share/doc/sudo/examples/
        mv      debian/sudo-ldap/usr/share/doc/sudo-ldap/sample.* \
                debian/sudo-ldap/usr/share/doc/sudo-ldap/examples/

        # and install things we do want that make install doesn't know about
        install -o root -g root -m 0644 debian/sudo.pam \
                debian/sudo/etc/pam.d/sudo
        install -o root -g root -m 0644 debian/sudo.pam \
                debian/sudo-ldap/etc/pam.d/sudo

        install -o root -g root -m 0644 debian/sudo.lintian \
                debian/sudo/usr/share/lintian/overrides/sudo
        install -o root -g root -m 0644 debian/sudo-ldap.lintian \
                debian/sudo-ldap/usr/share/lintian/overrides/sudo-ldap

        install -o root -g root -m 0440 debian/sudoers \
                debian/sudo/etc/sudoers
        install -o root -g root -m 0440 debian/sudoers \
                debian/sudo-ldap/etc/sudoers

        install -o root -g root -m 0440 debian/README \
                debian/sudo/etc/sudoers.d/README
        install -o root -g root -m 0440 debian/README \
                debian/sudo-ldap/etc/sudoers.d/README

binary-indep: build install

binary-arch: build install
        dh_testdir
        dh_testroot
        dh_installdocs -A
        dh_installinit -psudo -psudo-ldap --name=sudo
        dh_installman -A
        dh_installinfo -A
        dh_installchangelogs ChangeLog 
        dh_strip
        dh_compress
        dh_fixperms
        chown root.root debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo
        chmod 4755 debian/sudo/usr/bin/sudo debian/sudo-ldap/usr/bin/sudo
        chmod 0440      debian/sudo/etc/sudoers.d/README \
                        debian/sudo-ldap/etc/sudoers.d/README
        dh_installdeb
        dh_shlibdeps
        dh_gencontrol
        dh_md5sums
        dh_builddeb

binary: binary-indep binary-arch
.PHONY: configure build-indep build-arch build clean binary-indep binary-arch binary install