%set if test -n "$flavor"; then name="sudo-$flavor" pp_kit_package="sudo_$flavor" else name="sudo" pp_kit_package="sudo" fi summary="Provide limited super-user privileges to specific users" description="Sudo is a program designed to allow a sysadmin to give \ limited root privileges to users and log root activity. \ The basic philosophy is to give as few privileges as possible but \ still allow people to get their work done." vendor="Todd C. Miller" copyright="(c) 1993-1996,1998-2012 Todd C. Miller" %if [aix] # AIX package summary is limited to 40 characters summary="Configurable super-user privileges" # Convert to 4 part version for AIX, including patch level pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'` %endif %if [kit] # Strip off patchlevel for kit which only supports xyz versions pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/[^0-9][^0-9]*[0-9][0-9]*$//'`" pp_kit_name="TCM" %endif %if [sd] pp_sd_vendor_tag="TCM" %endif %if [solaris] pp_solaris_name="TCM${name}" pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"` %endif %if [rpm,deb] # Convert patch level into release and remove from version pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)' \| 0 \) + 1`" pp_rpm_version="`expr $version : '\(.*\)p[0-9][0-9]*'`" pp_rpm_license="BSD" pp_rpm_url="http://www.sudo.ws/" pp_rpm_group="Applications/System" pp_rpm_packager="Todd.Miller@courtesan.com" if test -n "$linux_audit"; then pp_rpm_requires="audit-libs >= $linux_audit" fi pp_deb_maintainer="$pp_rpm_packager" pp_deb_release="$pp_rpm_release" pp_deb_version="$pp_rpm_version" %else # For all but RPM and Debian we need to install sudoers with a different # name and make a copy of it if there is no existing file. mv ${pp_destdir}$sudoersdir/sudoers ${pp_destdir}$sudoersdir/sudoers.dist %endif %if [rpm] # Add distro info to release osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'` case "$pp_rpm_distro" in centos*|rhel*) pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}" ;; sles*) pp_rpm_release="$pp_rpm_release.sles$osrelease" ;; esac # Uncomment some Defaults in sudoers # Note that the order must match that of sudoers. case "$pp_rpm_distro" in centos*|rhel*) chmod u+w ${pp_destdir}${sudoersdir}/sudoers /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF' /Locale settings/+1,s/^# // /Desktop path settings/+1,s/^# // w q EOF chmod u-w ${pp_destdir}${sudoersdir}/sudoers ;; sles*) chmod u+w ${pp_destdir}${sudoersdir}/sudoers /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF' /Locale settings/+1,s/^# // /ConsoleKit session/+1,s/^# // /allow any user to run sudo if they know the password/+2,s/^# // /allow any user to run sudo if they know the password/+3,s/^# // w q EOF chmod u-w ${pp_destdir}${sudoersdir}/sudoers ;; esac # For RedHat the doc dir is expected to include version and release case "$pp_rpm_distro" in centos*|rhel*) mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-${pp_rpm_release} docdir=${docdir}-${version}-${pp_rpm_release} ;; esac # Choose the correct PAM file by distro, must be tab indented for "<<-" case "$pp_rpm_distro" in centos*|rhel*) mkdir -p ${pp_destdir}/etc/pam.d if test $osrelease -lt 50; then cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF #%PAM-1.0 auth required pam_stack.so service=system-auth account required pam_stack.so service=system-auth password required pam_stack.so service=system-auth session required pam_limits.so EOF else cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF #%PAM-1.0 auth include system-auth account include system-auth password include system-auth session optional pam_keyinit.so revoke session required pam_limits.so EOF cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF #%PAM-1.0 auth include sudo account include sudo password include sudo session optional pam_keyinit.so force revoke session required pam_limits.so EOF fi ;; sles*) mkdir -p ${pp_destdir}/etc/pam.d if test $osrelease -lt 10; then cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF #%PAM-1.0 auth required pam_unix2.so session required pam_limits.so EOF else cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session # session optional pam_xauth.so EOF fi ;; esac %endif %if [deb] # Uncomment some Defaults and the %sudo rule in sudoers # Note that the order must match that of sudoers and be tab-indented. chmod u+w ${pp_destdir}${sudoersdir}/sudoers /bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF' /Locale settings/+1,s/^# // /X11 resource/+1,s/^# // /^# \%sudo/,s/^# // w q EOF chmod u-w ${pp_destdir}${sudoersdir}/sudoers mkdir -p ${pp_destdir}/etc/pam.d cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF #%PAM-1.0 @include common-auth @include common-account session required pam_permit.so session required pam_limits.so EOF %endif %if [macos] pp_macos_pkg_type=flat pp_macos_bundle_id=ws.sudo.pkg.sudo pp_macos_pkg_license=doc/LICENSE pp_macos_pkg_readme=${pp_wrkdir}/ReadMe.txt perl -pe 'last if (/^What/i && $seen++)' NEWS > ${pp_wrkdir}/ReadMe.txt %endif # OS-level directories that should generally exist but might not. extradirs=`echo ${pp_destdir}/${mandir}/[mc]* | sed "s#${pp_destdir}/##g"` extradirs="$extradirs `dirname $docdir` `dirname $timedir`" test -d ${pp_destdir}/etc/pam.d && extradirs="${extradirs} /etc/pam.d" for dir in $bindir $sbindir $libexecdir $includedir $extradirs; do while test "$dir" != "/"; do osdirs="${osdirs}${osdirs+ }$dir/" dir=`dirname $dir` done done osdirs=`echo $osdirs | tr " " "\n" | sort -u` %files $osdirs - $bindir/sudo 4111 root: $bindir/sudoedit 4111 root: $sbindir/visudo 0111 $bindir/sudoreplay 0111 $includedir/sudo_plugin.h 0444 $libexecdir/* 0755 optional $sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid $timedir/ 0700 root: $docdir/ 0755 $docdir/sudoers2ldif 0555 optional,ignore-others $docdir/* 0444 $localedir/ - optional $localedir/** 0444 optional /etc/pam.d/* 0444 volatile,optional %if [rpm,deb] $sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile %else $sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile %endif %files [!aix] $mandir/man*/* %files [aix] # Some versions use catpages, some use manpages. $mandir/cat*/* optional $mandir/man*/* optional %post [!rpm,deb] # Don't overwrite an existing sudoers file %if [solaris] sudoersdir=${PKG_INSTALL_ROOT}%{sudoersdir} %else sudoersdir=%{sudoersdir} %endif if test ! -r $sudoersdir/sudoers; then cp $sudoersdir/sudoers.dist $sudoersdir/sudoers chmod %{sudoers_mode} $sudoersdir/sudoers chown %{sudoers_uid} $sudoersdir/sudoers chgrp %{sudoers_gid} $sudoersdir/sudoers fi %post [deb] # dpkg-deb does not maintain the mode on the sudoers file, and # installs it 0640 when sudo requires 0440 chmod %{sudoers_mode} %{sudoersdir}/sudoers # create symlink to ease transition to new path for ldap config # if old config file exists and new one doesn't if test X"%{flavor}" = X"ldap" -a \ -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf fi # Debian uses a sudo group in its default sudoers file perl -e ' exit 0 if getgrnam("sudo"); $gid = 27; # default debian sudo gid setgrent(); while (getgrgid($gid)) { $gid++; } if ($gid != 27) { print "On Debian we normally use gid 27 for \"sudo\".\n"; $gname = getgrgid(27); print "However, on your system gid 27 is group \"$gname\".\n\n"; print "Would you like me to stop configuring sudo so that you can change this? [n] "; $ans = ; if ($ans =~ /^[yY]/) { print "\"dpkg --pending --configure\" will restart the configuration.\n\n"; exit 1; } } print "Creating group \"sudo\" with gid = $gid\n"; system("groupadd -g $gid sudo"); exit 0; ' %preun [deb] # Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if # it matches what we created in the postinstall script. if test X"%{flavor}" = X"ldap" -a \ X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then rm -f /etc/sudo-ldap.conf fi