git.gag.com Git - debian/sudo/blob - sudo.pp

   1 %set
   2         if test -n "$flavor"; then
   3                 name="sudo-$flavor"
   4                 pp_kit_package="sudo_$flavor"
   5         else
   6                 name="sudo"
   7                 pp_kit_package="sudo"
   8         fi
   9         summary="Provide limited super-user privileges to specific users"
  10         description="Sudo is a program designed to allow a sysadmin to give \
  11 limited root privileges to users and log root activity.  \
  12 The basic philosophy is to give as few privileges as possible but \
  13 still allow people to get their work done."
  14         vendor="Todd C. Miller"
  15         copyright="(c) 1993-1996,1998-2013 Todd C. Miller"
  16         sudoedit_man=`echo ${pp_destdir}$mandir/*/sudoedit.*|sed "s:^${pp_destdir}::"`
  17         sudoedit_man_target=`basename $sudoedit_man | sed 's/edit//'`
  18
  19 %if [aix]
  20         # AIX package summary is limited to 40 characters
  21         summary="Configurable super-user privileges"
  22
  23         # Convert to 4 part version for AIX, including patch level
  24         pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
  25 %endif
  26
  27 %if [kit]
  28         # Strip off patchlevel for kit which only supports xyz versions
  29         pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/[^0-9][^0-9]*[0-9][0-9]*$//'`"
  30         pp_kit_name="TCM"
  31 %endif
  32
  33 %if [sd]
  34         pp_sd_vendor_tag="TCM"
  35 %endif
  36
  37 %if [solaris]
  38         pp_solaris_name="TCM${name}"
  39         pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
  40 %endif
  41
  42 %if [rpm,deb]
  43         # Convert patch level into release and remove from version
  44         pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)' \| 0 \) + 1`"
  45         pp_rpm_version="`expr $version : '\(.*\)p[0-9][0-9]*'`"
  46         pp_rpm_license="BSD"
  47         pp_rpm_url="http://www.sudo.ws/"
  48         pp_rpm_group="Applications/System"
  49         pp_rpm_packager="Todd C. Miller <Todd.Miller@courtesan.com>"
  50         if test -n "$linux_audit"; then
  51                 pp_rpm_requires="audit-libs >= $linux_audit"
  52         fi
  53 %else
  54         # For all but RPM and Debian we need to install sudoers with a different
  55         # name and make a copy of it if there is no existing file.
  56         mv ${pp_destdir}$sudoersdir/sudoers ${pp_destdir}$sudoersdir/sudoers.dist
  57 %endif
  58
  59 %if [deb]
  60         pp_deb_maintainer="$pp_rpm_packager"
  61         pp_deb_release="$pp_rpm_release"
  62         pp_deb_version="$pp_rpm_version"
  63         pp_deb_section=admin
  64         install -D -m 644 ${pp_destdir}$docdir/LICENSE ${pp_wrkdir}/${name}/usr/share/doc/${name}/copyright
  65         install -D -m 644 ${pp_destdir}$docdir/ChangeLog ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
  66         gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog
  67         printf "$name ($pp_deb_version-$pp_deb_release) admin; urgency=low\n\n  * see upstream changelog\n\n -- $pp_deb_maintainer  `date '+%a, %d %b %Y %T %z'`\n" > ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
  68         chmod 644 ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
  69         gzip -9f ${pp_wrkdir}/${name}/usr/share/doc/${name}/changelog.Debian
  70         # Create lintian override file
  71         mkdir -p ${pp_wrkdir}/${name}/usr/share/lintian/overrides
  72         cat >${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name} <<-EOF
  73         # The sudo binary must be setuid root
  74         $name: setuid-binary usr/bin/sudo 4755 root/root
  75         # Sudo configuration and data dirs must not be world-readable
  76         $name: non-standard-file-perm etc/sudoers 0440 != 0644
  77         $name: non-standard-dir-perm etc/sudoers.d/ 0750 != 0755
  78         $name: non-standard-dir-perm var/lib/sudo/ 0700 != 0755
  79         # Sudo ships with debugging symbols
  80         $name: unstripped-binary-or-object
  81         EOF
  82         chmod 644 ${pp_wrkdir}/${name}/usr/share/lintian/overrides/${name}
  83 %endif
  84
  85 %if [rpm]
  86         # Add distro info to release
  87         osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
  88         case "$pp_rpm_distro" in
  89         centos*|rhel*)
  90                 pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
  91                 ;;
  92         sles*)
  93                 pp_rpm_release="$pp_rpm_release.sles$osrelease"
  94                 ;;
  95         esac
  96
  97         # Uncomment some Defaults in sudoers
  98         # Note that the order must match that of sudoers.
  99         case "$pp_rpm_distro" in
 100         centos*|rhel*)
 101                 chmod u+w ${pp_destdir}${sudoersdir}/sudoers
 102                 /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
 103                 /Locale settings/+1,s/^# //
 104                 /Desktop path settings/+1,s/^# //
 105                 w
 106                 q
 107                 EOF
 108                 chmod u-w ${pp_destdir}${sudoersdir}/sudoers
 109                 ;;
 110         sles*)
 111                 chmod u+w ${pp_destdir}${sudoersdir}/sudoers
 112                 /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
 113                 /Locale settings/+1,s/^# //
 114                 /ConsoleKit session/+1,s/^# //
 115                 /allow any user to run sudo if they know the password/+2,s/^# //
 116                 /allow any user to run sudo if they know the password/+3,s/^# //
 117                 w
 118                 q
 119                 EOF
 120                 chmod u-w ${pp_destdir}${sudoersdir}/sudoers
 121                 ;;
 122         esac
 123
 124         # For RedHat the doc dir is expected to include version and release
 125         case "$pp_rpm_distro" in
 126         centos*|rhel*)
 127                 mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-${pp_rpm_release}
 128                 docdir=${docdir}-${version}-${pp_rpm_release}
 129                 ;;
 130         esac
 131
 132         # Choose the correct PAM file by distro, must be tab indented for "<<-"
 133         case "$pp_rpm_distro" in
 134         centos*|rhel*)
 135                 mkdir -p ${pp_destdir}/etc/pam.d
 136                 if test $osrelease -lt 50; then
 137                         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
 138                         #%PAM-1.0
 139                         auth       required     pam_stack.so service=system-auth
 140                         account    required     pam_stack.so service=system-auth
 141                         password   required     pam_stack.so service=system-auth
 142                         session    required     pam_limits.so
 143                         EOF
 144                 else
 145                         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
 146                         #%PAM-1.0
 147                         auth       include      system-auth
 148                         account    include      system-auth
 149                         password   include      system-auth
 150                         session    optional     pam_keyinit.so revoke
 151                         session    required     pam_limits.so
 152                         EOF
 153                         cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
 154                         #%PAM-1.0
 155                         auth       include      sudo
 156                         account    include      sudo
 157                         password   include      sudo
 158                         session    optional     pam_keyinit.so force revoke
 159                         session    required     pam_limits.so
 160                         EOF
 161                 fi
 162                 ;;
 163           sles*)
 164                 mkdir -p ${pp_destdir}/etc/pam.d
 165                 if test $osrelease -lt 10; then
 166                         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
 167                         #%PAM-1.0
 168                         auth     required       pam_unix2.so
 169                         session  required       pam_limits.so
 170                         EOF
 171                 else
 172                         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
 173                         #%PAM-1.0
 174                         auth     include        common-auth
 175                         account  include        common-account
 176                         password include        common-password
 177                         session  include        common-session
 178                         # session  optional     pam_xauth.so
 179                         EOF
 180                 fi
 181                 ;;
 182         esac
 183 %endif
 184
 185 %if [deb]
 186         # Uncomment some Defaults and the %sudo rule in sudoers
 187         # Note that the order must match that of sudoers and be tab-indented.
 188         chmod u+w ${pp_destdir}${sudoersdir}/sudoers
 189         /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
 190         /Locale settings/+1,s/^# //
 191         /X11 resource/+1,s/^# //
 192         /^# \%sudo/,s/^# //
 193         w
 194         q
 195         EOF
 196         chmod u-w ${pp_destdir}${sudoersdir}/sudoers
 197         mkdir -p ${pp_destdir}/etc/pam.d
 198         cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
 199         #%PAM-1.0
 200
 201         @include common-auth
 202         @include common-account
 203
 204         session required pam_permit.so
 205         session required pam_limits.so
 206         EOF
 207 %endif
 208
 209 %if [macos]
 210         pp_macos_pkg_type=flat
 211         pp_macos_bundle_id=ws.sudo.pkg.sudo
 212         pp_macos_pkg_license=doc/LICENSE
 213         pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt
 214         perl -pe 'last if (/^What/i && $seen++)' NEWS > ${pp_wrkdir}/ReadMe.txt
 215 %endif
 216
 217 %if X"$aix_freeware" = X"true"
 218         # Create links from /opt/freeware/{bin,sbin} -> /usr/{bin.sbin}
 219         mkdir -p ${pp_destdir}/usr/bin ${pp_destdir}/usr/sbin
 220         ln -s -f ${bindir}/sudo ${pp_destdir}/usr/bin
 221         ln -s -f ${bindir}/sudoedit ${pp_destdir}/usr/bin
 222         ln -s -f ${bindir}/sudoreplay ${pp_destdir}/usr/bin
 223         ln -s -f ${sbindir}/visudo ${pp_destdir}/usr/sbin
 224 %endif
 225
 226         # OS-level directories that should generally exist but might not.
 227         extradirs=`echo ${pp_destdir}/${mandir}/[mc]* | sed "s#${pp_destdir}/##g"`
 228         extradirs="$extradirs `dirname $docdir` `dirname $timedir`"
 229         test -d ${pp_destdir}${localedir} && extradirs="$extradirs $localedir"
 230         test -d ${pp_destdir}/etc/pam.d && extradirs="${extradirs} /etc/pam.d"
 231         for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do
 232                 while test "$dir" != "/"; do
 233                         osdirs="${osdirs}${osdirs+ }$dir/"
 234                         dir=`dirname $dir`
 235                 done
 236         done
 237         osdirs=`echo $osdirs | tr " " "\n" | sort -u`
 238
 239 %depend [deb]
 240         libc6, libpam0g, libpam-modules, zlib1g, libselinux1
 241
 242 %fixup [deb]
 243         # Add Conflicts, Replaces headers and add libldap depedency as needed.
 244         if test -z "%{flavor}"; then
 245             echo "Conflicts: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control
 246             echo "Replaces: sudo-ldap" >> %{pp_wrkdir}/%{name}/DEBIAN/control
 247         elif test "%{flavor}" = "ldap"; then
 248             echo "Conflicts: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
 249             echo "Replaces: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
 250             echo "Provides: sudo" >> %{pp_wrkdir}/%{name}/DEBIAN/control
 251             cp -p %{pp_wrkdir}/%{name}/DEBIAN/control %{pp_wrkdir}/%{name}/DEBIAN/control.$$
 252             sed 's/^\(Depends:.*\) *$/\1, libldap-2.4-2/' %{pp_wrkdir}/%{name}/DEBIAN/control.$$ > %{pp_wrkdir}/%{name}/DEBIAN/control
 253             rm -f %{pp_wrkdir}/%{name}/DEBIAN/control.$$
 254         fi
 255         echo "Homepage: http://www.sudo.ws/sudo/" >> %{pp_wrkdir}/%{name}/DEBIAN/control
 256         echo "Bugs: http://www.sudo.ws/bugs/" >> %{pp_wrkdir}/%{name}/DEBIAN/control
 257
 258 %files
 259         $osdirs                 -
 260         $bindir/sudo            4755 root:
 261         $bindir/sudoedit        0755 root: symlink sudo
 262         $sbindir/visudo         0755
 263         $bindir/sudoreplay      0755
 264         $includedir/sudo_plugin.h 0644
 265         $libexecdir/sudo/       0755
 266         $libexecdir/sudo/sesh   0755 optional,ignore-others
 267         $libexecdir/sudo/*      $shlib_mode optional
 268         $sudoersdir/sudoers.d/  0750 $sudoers_uid:$sudoers_gid
 269         $timedir/               0700 root:
 270         $docdir/                0755
 271         $docdir/sudoers2ldif    0755 optional,ignore-others
 272 %if [deb]
 273         $docdir/LICENSE         ignore,ignore-others
 274         $docdir/ChangeLog       ignore,ignore-others
 275 %endif
 276         $docdir/*               0644
 277         $localedir/*/           -    optional
 278         $localedir/*/LC_MESSAGES/ -    optional
 279         $localedir/*/LC_MESSAGES/* 0644    optional
 280         /etc/pam.d/*            0644 volatile,optional
 281 %if [rpm,deb]
 282         $sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
 283 %else
 284         $sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
 285 %endif
 286 %if X"$aix_freeware" = X"true"
 287         # Links for binaries from /opt/freeware to /usr
 288         /usr/bin/sudo           0755 root: symlink $bindir/sudo
 289         /usr/bin/sudoedit       0755 root: symlink $bindir/sudoedit
 290         /usr/bin/sudoreplay     0755 root: symlink $bindir/sudoreplay
 291         /usr/sbin/visudo        0755 root: symlink $sbindir/visudo
 292 %endif
 293
 294 %files [!aix]
 295         $sudoedit_man           0644 symlink,ignore-others $sudoedit_man_target
 296         $mandir/man*/*          0644
 297
 298 %files [aix]
 299         # Some versions use catpages, some use manpages.
 300         $sudoedit_man           0644 symlink,ignore-others $sudoedit_man_target
 301         $mandir/cat*/*          0644 optional
 302         $mandir/man*/*          0644 optional
 303
 304 %pre [aix]
 305         if rpm -q %{name} >/dev/null 2>&1; then
 306                 echo "Another version of sudo is currently installed via rpm." 2>&1
 307                 echo "Please either uninstall the rpm version of sudo by running \"rpm -e sudo\"" 2>&1
 308                 echo "or upgrade the existing version of sudo using the .rpm packagae instead" 2>&1
 309                 echo "instead of the .bff package." 2>&1
 310                 echo "" 2>&1
 311                 echo "Note that you may need to pass rpm the --oldpackage flag when upgrading" 2>&1
 312                 echo "the AIX Toolbox version of sudo to the latest sudo rpm from sudo.ws." 2>&1
 313                 echo "" 2>&1
 314                 exit 1
 315         fi
 316
 317 %post [!rpm,deb]
 318         # Don't overwrite an existing sudoers file
 319 %if [solaris]
 320         sudoersdir=${PKG_INSTALL_ROOT}%{sudoersdir}
 321 %else
 322         sudoersdir=%{sudoersdir}
 323 %endif
 324         if test ! -r $sudoersdir/sudoers; then
 325                 cp $sudoersdir/sudoers.dist $sudoersdir/sudoers
 326                 chmod %{sudoers_mode} $sudoersdir/sudoers
 327                 chown %{sudoers_uid} $sudoersdir/sudoers
 328                 chgrp %{sudoers_gid} $sudoersdir/sudoers
 329         fi
 330
 331 %post [deb]
 332         set -e
 333
 334         # dpkg-deb does not maintain the mode on the sudoers file, and
 335         # installs it 0640 when sudo requires 0440
 336         chmod %{sudoers_mode} %{sudoersdir}/sudoers
 337
 338         # create symlink to ease transition to new path for ldap config
 339         # if old config file exists and new one doesn't
 340         if test X"%{flavor}" = X"ldap" -a \
 341             -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
 342                 ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
 343         fi
 344
 345         # Debian uses a sudo group in its default sudoers file
 346         perl -e '
 347                 exit 0 if getgrnam("sudo");
 348                 $gid = 27; # default debian sudo gid
 349                 setgrent();
 350                 while (getgrgid($gid)) { $gid++; }
 351                 if ($gid != 27) {
 352                         print "On Debian we normally use gid 27 for \"sudo\".\n";
 353                         $gname = getgrgid(27);
 354                         print "However, on your system gid 27 is group \"$gname\".\n\n";
 355                         print "Would you like me to stop configuring sudo so that you can change this? [n] ";
 356                         $ans = <STDIN>;
 357                         if ($ans =~ /^[yY]/) {
 358                                 print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
 359                                 exit 1;
 360                         }
 361                 }
 362                 print "Creating group \"sudo\" with gid = $gid\n";
 363                 system("groupadd -g $gid sudo");
 364                 exit 0;
 365         '
 366
 367 %preun [deb]
 368         set -e
 369
 370         # Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
 371         # it matches what we created in the postinstall script.
 372         if test X"%{flavor}" = X"ldap" -a \
 373             X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
 374                 rm -f /etc/sudo-ldap.conf
 375         fi