fix for 596493 from upstream

[debian/sudo] / sudo.pp

%set
        if test -n "$flavor"; then
                name="sudo-$flavor"
                pp_kit_package="sudo_$flavor"
        else
                name="sudo"
                pp_kit_package="sudo"
        fi
        summary="Provide limited super-user priveleges to specific users"
        description="Sudo is a program designed to allow a sysadmin to give \
limited root privileges to users and log root activity.  \
The basic philosophy is to give as few privileges as possible but \
still allow people to get their work done."
        vendor="Todd C. Miller"
        copyright="(c) 1993-1996,1998-2010 Todd C. Miller"

        # Convert to 4 part version for AIX, including patch level
        pp_aix_version=`echo $version|sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/' -e 's/[^0-9]*\([0-9]*\)$/.\1/'`

        # Strip of patchlevel for kit which only supports x.y.z versions
        pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/p[0-9]*$//'`"
        pp_kit_name="TCM"

        pp_sd_vendor_tag="TCM"
        pp_solaris_name="TCM${name}"
%if [rpm,deb]
        # Convert patch level into release and remove from version
        pp_rpm_release="`echo $version|sed 's/^[0-9]*\.[0-9]*\.[0-9]*[^0-9]*//'`"
        pp_rpm_release="`expr $pp_rpm_release + 1`"
        pp_rpm_version="`echo $version|sed 's/p[0-9]*$//'`"
        pp_rpm_license="BSD"
        pp_rpm_url="http://www.sudo.ws/"
        pp_rpm_group="Applications/System"
        pp_rpm_packager="Todd.Miller@courtesan.com"

        pp_deb_maintainer="$pp_rpm_packager"
        pp_deb_release="$pp_rpm_release"
        pp_deb_version="$pp_rpm_version"
%else
        # For all but RPM and Debian we need to install sudoers with a different
        # name and make a copy of it if there is no existing file.
        mv ${pp_destdir}$sudoersdir/sudoers ${pp_destdir}$sudoersdir/sudoers.dist
%endif

%set [rpm]
        # Add distro info to release
        osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
        case "$pp_rpm_distro" in
        centos*|rhel*)
                pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
                ;;
        sles*)
                pp_rpm_release="$pp_rpm_release.sles$osrelease"
                ;;
        esac

        # Uncomment some Defaults in sudoers
        # Note that the order must match that of sudoers.
        case "$pp_rpm_distro" in
        centos*|rhel*)
                /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
                /Locale settings/+1,s/^# //
                /Desktop path settings/+1,s/^# //
                w
                q
                EOF
                ;;
        sles*)
                /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
                /Locale settings/+1,s/^# //
                /ConsoleKit session/+1,s/^# //
                /allow any user to run sudo if they know the password/+2,s/^# //
                /allow any user to run sudo if they know the password/+3,s/^# //
                w
                q
                EOF
                ;;
        esac

        # For RedHat the doc dir is expected to include version and release
        case "$pp_rpm_distro" in
        centos*|rhel*)
                mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-${pp_rpm_release}
                docdir=${docdir}-${version}-${pp_rpm_release}
                ;;
        esac

        # Choose the correct PAM file by distro, must be tab indented for "<<-"
        case "$pp_rpm_distro" in
        centos*|rhel*)
                mkdir -p ${pp_destdir}/etc/pam.d
                if test $osrelease -lt 50; then
                        cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
                        #%PAM-1.0
                        auth       required     pam_stack.so service=system-auth
                        account    required     pam_stack.so service=system-auth
                        password   required     pam_stack.so service=system-auth
                        session    required     pam_limits.so
                        EOF
                else
                        cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
                        #%PAM-1.0
                        auth       include      system-auth
                        account    include      system-auth
                        password   include      system-auth
                        session    optional     pam_keyinit.so revoke
                        session    required     pam_limits.so
                        EOF
                        cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
                        #%PAM-1.0
                        auth       include      sudo
                        account    include      sudo
                        password   include      sudo
                        session    optional     pam_keyinit.so force revoke
                        session    required     pam_limits.so
                        EOF
                fi
                ;;
          sles*)
                mkdir -p ${pp_destdir}/etc/pam.d
                if test $osrelease -lt 10; then
                        cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
                        #%PAM-1.0
                        auth     required       pam_unix2.so
                        session  required       pam_limits.so
                        EOF
                else
                        cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
                        #%PAM-1.0
                        auth     include        common-auth
                        account  include        common-account
                        password include        common-password
                        session  include        common-session
                        # session  optional     pam_xauth.so
                        EOF
                fi
                ;;
        esac

%set [deb]
        # Uncomment some Defaults and the %sudo rule in sudoers
        # Note that the order must match that of sudoers and be tab-indented.
        /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
        /Locale settings/+1,s/^# //
        /X11 resource/+1,s/^# //
        /^# \%sudo/,s/^# //
        w
        q
        EOF
        mkdir -p ${pp_destdir}/etc/pam.d
        cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
        #%PAM-1.0

        @include common-auth
        @include common-account

        session required pam_permit.so
        session required pam_limits.so
        EOF

%set [aix]
        summary="Configurable super-user privileges"

%files
        $bindir/sudo        4111 root:
        $bindir/sudoedit    4111 root:
        $sbindir/visudo     0111
        $bindir/sudoreplay  0111
        $libexecdir/*
        $sudoersdir/sudoers.d/  0750 $sudoers_uid:$sudoers_gid
        $timedir/               0700 root:
        $docdir/
        $docdir/*
        /etc/pam.d/*            volatile,optional
%if [rpm,deb]
        $sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
%else
        $sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
%endif

%files [!aix]
        $mandir/man*/*

%files [aix]
        # Some versions use catpages, some use manpages.
        $mandir/cat*/* optional
        $mandir/man*/* optional

%post [!rpm,deb]
        # Don't overwrite an existing sudoers file
        sudoersdir=%{sudoersdir}
        if test ! -r $sudoersdir/sudoers; then
                cp -p $sudoersdir/sudoers.dist $sudoersdir/sudoers
        fi

%post [deb]
        # dpkg-deb does not maintain the mode on the sudoers file, and
        # installs it 0640 when sudo requires 0440
        chmod %{sudoers_mode} %{sudoersdir}/sudoers

        # create symlink to ease transition to new path for ldap config
        # if old config file exists and new one doesn't
        if test X"%{flavor}" = X"ldap" -a \
            -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
                ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
        fi

        # Debian uses a sudo group in its default sudoers file
        perl -e '
                exit 0 if getgrnam("sudo");
                $gid = 27; # default debian sudo gid
                setgrent();
                while (getgrgid($gid)) { $gid++; }
                if ($gid != 27) {
                        print "On Debian we normally use gid 27 for \"sudo\".\n";
                        $gname = getgrgid(27);
                        print "However, on your system gid 27 is group \"$gname\".\n\n";
                        print "Would you like me to stop configuring sudo so that you can change this? [n] "; 
                        $ans = <STDIN>;
                        if ($ans =~ /^[yY]/) {
                                print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
                                exit 1;
                        }
                }
                print "Creating group \"sudo\" with gid = $gid\n";
                system("groupadd -g $gid sudo");
                exit 0;
        '

%preun [deb]
        # Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
        # it matches what we created in the postinstall script.
        if test X"%{flavor}" = X"ldap" -a \
            X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
                rm -f /etc/sudo-ldap.conf
        fi