diff options
-rw-r--r-- | app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch | 308 | ||||
-rw-r--r-- | app-admin/sudo/sudo-1.9.2-r1.ebuild | 265 |
2 files changed, 573 insertions, 0 deletions
diff --git a/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch b/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch new file mode 100644 index 000000000000..6134fe736d00 --- /dev/null +++ b/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch @@ -0,0 +1,308 @@ + +# HG changeset patch +# User Todd C. Miller <Todd.Miller@sudo.ws> +# Date 1598395693 21600 +# Node ID e30482f26924b07775d87ae591e54ad72e794d5e +# Parent 1ede927d99b3cb06ba514c9fd2fd7fa9a014a1b2 +Use sigabbrev_np(3) to access signal abbreviations if supported. +glibc-2.32 has removed sys_sigabbrev[], we can use sigabbrev_np(3) instead. + +diff -r 1ede927d99b3 -r e30482f26924 config.h.in +--- a/config.h.in Mon Aug 17 19:37:09 2020 -0600 ++++ b/config.h.in Tue Aug 25 16:48:13 2020 -0600 +@@ -740,6 +740,9 @@ + /* Define to 1 if you have the `sig2str' function. */ + #undef HAVE_SIG2STR + ++/* Define to 1 if you have the `sigabbrev_np' function. */ ++#undef HAVE_SIGABBREV_NP ++ + /* Define to 1 if you use S/Key. */ + #undef HAVE_SKEY + +diff -r 1ede927d99b3 -r e30482f26924 configure +--- a/configure Mon Aug 17 19:37:09 2020 -0600 ++++ b/configure Tue Aug 25 16:48:13 2020 -0600 +@@ -23687,9 +23687,21 @@ + + + if test x"${ac_cv_func_sig2str}${ac_cv_func_str2sig}" != x"yesyes"; then +- COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test" +- HAVE_SIGNAME="false" +- ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" " ++ for ac_func in sigabbrev_np ++do : ++ ac_fn_c_check_func "$LINENO" "sigabbrev_np" "ac_cv_func_sigabbrev_np" ++if test "x$ac_cv_func_sigabbrev_np" = xyes; then : ++ cat >>confdefs.h <<_ACEOF ++#define HAVE_SIGABBREV_NP 1 ++_ACEOF ++ ++fi ++done ++ ++ if test x"${ac_cv_func_sigabbrev_np}" != x"yes"; then ++ COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test" ++ HAVE_SIGNAME="false" ++ ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" " + $ac_includes_default + #include <signal.h> + +@@ -23705,7 +23717,7 @@ + _ACEOF + if test $ac_have_decl = 1; then : + +- HAVE_SIGNAME="true" ++ HAVE_SIGNAME="true" + + fi + ac_fn_c_check_decl "$LINENO" "_sys_signame" "ac_cv_have_decl__sys_signame" " +@@ -23724,7 +23736,7 @@ + _ACEOF + if test $ac_have_decl = 1; then : + +- HAVE_SIGNAME="true" ++ HAVE_SIGNAME="true" + + fi + ac_fn_c_check_decl "$LINENO" "sys_sigabbrev" "ac_cv_have_decl_sys_sigabbrev" " +@@ -23743,12 +23755,12 @@ + _ACEOF + if test $ac_have_decl = 1; then : + +- HAVE_SIGNAME="true" +- +-fi +- +- if test "$HAVE_SIGNAME" != "true"; then +- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5 ++ HAVE_SIGNAME="true" ++ ++fi ++ ++ if test "$HAVE_SIGNAME" != "true"; then ++ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5 + $as_echo_n "checking for undeclared sys_sigabbrev... " >&6; } + if ${sudo_cv_var_sys_sigabbrev+:} false; then : + $as_echo_n "(cached) " >&6 +@@ -23777,17 +23789,18 @@ + fi + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_sys_sigabbrev" >&5 + $as_echo "$sudo_cv_var_sys_sigabbrev" >&6; } +- if test "$sudo_cv_var_sys_sigabbrev" = yes; then +- $as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h +- +- else +- case " $LIBOBJS " in ++ if test "$sudo_cv_var_sys_sigabbrev" = yes; then ++ $as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h ++ ++ else ++ case " $LIBOBJS " in + *" signame.$ac_objext "* ) ;; + *) LIBOBJS="$LIBOBJS signame.$ac_objext" + ;; + esac + +- SIGNAME=signame.lo ++ SIGNAME=signame.lo ++ fi + fi + fi + fi +diff -r 1ede927d99b3 -r e30482f26924 configure.ac +--- a/configure.ac Mon Aug 17 19:37:09 2020 -0600 ++++ b/configure.ac Tue Aug 25 16:48:13 2020 -0600 +@@ -3498,29 +3498,32 @@ + dnl Also enable unit tests for sig2str() and str2sig(). + dnl + if test x"${ac_cv_func_sig2str}${ac_cv_func_str2sig}" != x"yesyes"; then +- COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test" +- HAVE_SIGNAME="false" +- AC_CHECK_DECLS([sys_signame, _sys_signame, sys_sigabbrev], [ +- HAVE_SIGNAME="true" +- ], [ ], [ ++ AC_CHECK_FUNCS([sigabbrev_np]) ++ if test x"${ac_cv_func_sigabbrev_np}" != x"yes"; then ++ COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test" ++ HAVE_SIGNAME="false" ++ AC_CHECK_DECLS([sys_signame, _sys_signame, sys_sigabbrev], [ ++ HAVE_SIGNAME="true" ++ ], [ ], [ + AC_INCLUDES_DEFAULT + #include <signal.h> +- ]) +- if test "$HAVE_SIGNAME" != "true"; then +- AC_CACHE_CHECK([for undeclared sys_sigabbrev], +- [sudo_cv_var_sys_sigabbrev], +- [AC_LINK_IFELSE( +- [AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])], +- [sudo_cv_var_sys_sigabbrev=yes], +- [sudo_cv_var_sys_sigabbrev=no] +- ) +- ] +- ) +- if test "$sudo_cv_var_sys_sigabbrev" = yes; then +- AC_DEFINE(HAVE_SYS_SIGABBREV) +- else +- AC_LIBOBJ(signame) +- SIGNAME=signame.lo ++ ]) ++ if test "$HAVE_SIGNAME" != "true"; then ++ AC_CACHE_CHECK([for undeclared sys_sigabbrev], ++ [sudo_cv_var_sys_sigabbrev], ++ [AC_LINK_IFELSE( ++ [AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])], ++ [sudo_cv_var_sys_sigabbrev=yes], ++ [sudo_cv_var_sys_sigabbrev=no] ++ ) ++ ] ++ ) ++ if test "$sudo_cv_var_sys_sigabbrev" = yes; then ++ AC_DEFINE(HAVE_SYS_SIGABBREV) ++ else ++ AC_LIBOBJ(signame) ++ SIGNAME=signame.lo ++ fi + fi + fi + fi +diff -r 1ede927d99b3 -r e30482f26924 lib/util/sig2str.c +--- a/lib/util/sig2str.c Mon Aug 17 19:37:09 2020 -0600 ++++ b/lib/util/sig2str.c Tue Aug 25 16:48:13 2020 -0600 +@@ -1,7 +1,7 @@ + /* + * SPDX-License-Identifier: ISC + * +- * Copyright (c) 2012-2015, 2017-2019 Todd C. Miller <Todd.Miller@sudo.ws> ++ * Copyright (c) 2012-2015, 2017-2020 Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -32,20 +32,24 @@ + #include <unistd.h> + + #include "sudo_compat.h" ++#include "sudo_util.h" + +-#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1 +-# define sudo_sys_signame sys_signame +-#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1 +-# define sudo_sys_signame _sys_signame +-#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1 +-# define sudo_sys_signame sys_sigabbrev +-#else +-# ifdef HAVE_SYS_SIGABBREV +- /* sys_sigabbrev is not declared by glibc */ +-# define sudo_sys_signame sys_sigabbrev ++#if !defined(HAVE_SIGABBREV_NP) ++# if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1 ++# define sigabbrev_np(_x) sys_signame[(_x)] ++# elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1 ++# define sigabbrev_np(_x) _sys_signame[(_x)] ++# elif defined(HAVE_SYS_SIGABBREV) ++# define sigabbrev_np(_x) sys_sigabbrev[(_x)] ++# if defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 0 ++ /* sys_sigabbrev is not declared by glibc */ ++ extern const char *const sys_sigabbrev[NSIG]; ++# endif ++# else ++# define sigabbrev_np(_x) sudo_sys_signame[(_x)] ++ extern const char *const sudo_sys_signame[NSIG]; + # endif +-extern const char *const sudo_sys_signame[NSIG]; +-#endif ++#endif /* !HAVE_SIGABBREV_NP */ + + /* + * Translate signal number to name. +@@ -77,15 +81,18 @@ + return 0; + } + #endif +- if (signo > 0 && signo < NSIG && sudo_sys_signame[signo] != NULL) { +- strlcpy(signame, sudo_sys_signame[signo], SIG2STR_MAX); +- /* Make sure we always return an upper case signame. */ +- if (islower((unsigned char)signame[0])) { +- int i; +- for (i = 0; signame[i] != '\0'; i++) +- signame[i] = toupper((unsigned char)signame[i]); ++ if (signo > 0 && signo < NSIG) { ++ const char *cp = sigabbrev_np(signo); ++ if (cp != NULL) { ++ strlcpy(signame, cp, SIG2STR_MAX); ++ /* Make sure we always return an upper case signame. */ ++ if (islower((unsigned char)signame[0])) { ++ int i; ++ for (i = 0; signame[i] != '\0'; i++) ++ signame[i] = toupper((unsigned char)signame[i]); ++ } ++ return 0; + } +- return 0; + } + errno = EINVAL; + return -1; +diff -r 1ede927d99b3 -r e30482f26924 lib/util/str2sig.c +--- a/lib/util/str2sig.c Mon Aug 17 19:37:09 2020 -0600 ++++ b/lib/util/str2sig.c Tue Aug 25 16:48:13 2020 -0600 +@@ -1,7 +1,7 @@ + /* + * SPDX-License-Identifier: ISC + * +- * Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws> ++ * Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws> + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above +@@ -37,19 +37,22 @@ + #include "sudo_compat.h" + #include "sudo_util.h" + +-#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1 +-# define sudo_sys_signame sys_signame +-#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1 +-# define sudo_sys_signame _sys_signame +-#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1 +-# define sudo_sys_signame sys_sigabbrev +-#else +-# ifdef HAVE_SYS_SIGABBREV +- /* sys_sigabbrev is not declared by glibc */ +-# define sudo_sys_signame sys_sigabbrev ++#if !defined(HAVE_SIGABBREV_NP) ++# if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1 ++# define sigabbrev_np(_x) sys_signame[(_x)] ++# elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1 ++# define sigabbrev_np(_x) _sys_signame[(_x)] ++# elif defined(HAVE_SYS_SIGABBREV) ++# define sigabbrev_np(_x) sys_sigabbrev[(_x)] ++# if defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 0 ++ /* sys_sigabbrev is not declared by glibc */ ++ extern const char *const sys_sigabbrev[NSIG]; ++# endif ++# else ++# define sigabbrev_np(_x) sudo_sys_signame[(_x)] ++ extern const char *const sudo_sys_signame[NSIG]; + # endif +-extern const char *const sudo_sys_signame[NSIG]; +-#endif ++#endif /* !HAVE_SIGABBREV_NP */ + + /* + * Many systems use aliases for source backward compatibility. +@@ -154,11 +157,11 @@ + } + } + +- /* Check sys_signame[]. */ + for (signo = 1; signo < NSIG; signo++) { +- if (sudo_sys_signame[signo] != NULL) { ++ const char *cp = sigabbrev_np(signo); ++ if (cp != NULL) { + /* On macOS sys_signame[] may contain lower-case names. */ +- if (strcasecmp(signame, sudo_sys_signame[signo]) == 0) { ++ if (strcasecmp(signame, cp) == 0) { + *result = signo; + return 0; + } + diff --git a/app-admin/sudo/sudo-1.9.2-r1.ebuild b/app-admin/sudo/sudo-1.9.2-r1.ebuild new file mode 100644 index 000000000000..1f1f6e60dd34 --- /dev/null +++ b/app-admin/sudo/sudo-1.9.2-r1.ebuild @@ -0,0 +1,265 @@ +# Copyright 1999-2020 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=7 + +inherit pam multilib libtool systemd tmpfiles + +MY_P="${P/_/}" +MY_P="${MY_P/beta/b}" + +DESCRIPTION="Allows users or groups to run commands as other users" +HOMEPAGE="https://www.sudo.ws/" +if [[ ${PV} == "9999" ]] ; then + inherit mercurial + EHG_REPO_URI="https://www.sudo.ws/repos/sudo" +else + uri_prefix= + case ${P} in + *_beta*|*_rc*) uri_prefix=beta/ ;; + esac + + SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz + ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz" + if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then + KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris" + fi +fi + +# Basic license is ISC-style as-is, some files are released under +# 3-clause BSD license +LICENSE="ISC BSD" +SLOT="0" +IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd" + +DEPEND=" + sys-libs/zlib:= + gcrypt? ( dev-libs/libgcrypt:= ) + ldap? ( + >=net-nds/openldap-2.1.30-r1 + sasl? ( + dev-libs/cyrus-sasl + net-nds/openldap[sasl] + ) + ) + pam? ( sys-libs/pam ) + sasl? ( dev-libs/cyrus-sasl ) + skey? ( >=sys-auth/skey-1.1.5-r1 ) + ssl? ( + !libressl? ( dev-libs/openssl:0= ) + libressl? ( dev-libs/libressl:0= ) + ) + sssd? ( sys-auth/sssd[sudo] ) +" +RDEPEND=" + ${DEPEND} + >=app-misc/editor-wrapper-3 + virtual/editor + ldap? ( dev-lang/perl ) + pam? ( sys-auth/pambase ) + selinux? ( sec-policy/selinux-sudo ) + sendmail? ( virtual/mta ) +" +BDEPEND=" + sys-devel/bison + virtual/pkgconfig +" + +S="${WORKDIR}/${MY_P}" + +REQUIRED_USE=" + pam? ( !skey ) + skey? ( !pam ) +" + +REQUIRED_USE="?? ( gcrypt ssl )" + +MAKEOPTS+=" SAMPLES=" + +PATCHES=( "${FILESDIR}/${P}-glibc-2.32.patch" ) # drop for releases after 1.9.2 + +src_prepare() { + default + elibtoolize +} + +set_secure_path() { + # FIXME: secure_path is a compile time setting. using PATH or + # ROOTPATH is not perfect, env-update may invalidate this, but until it + # is available as a sudoers setting this will have to do. + einfo "Setting secure_path ..." + + # first extract the default ROOTPATH from build env + SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; + echo "${ROOTPATH}") + case "${SECURE_PATH}" in + */usr/sbin*) ;; + *) SECURE_PATH=$(unset PATH; + . "${EPREFIX}"/etc/profile.env; echo "${PATH}") + ;; + esac + if [[ -z ${SECURE_PATH} ]] ; then + ewarn " Failed to detect SECURE_PATH, please report this" + fi + + # then remove duplicate path entries + cleanpath() { + local newpath thisp IFS=: + for thisp in $1 ; do + if [[ :${newpath}: != *:${thisp}:* ]] ; then + newpath+=:${thisp} + else + einfo " Duplicate entry ${thisp} removed..." + fi + done + SECURE_PATH=${newpath#:} + } + cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}} + + # finally, strip gcc paths #136027 + rmpath() { + local e newpath thisp IFS=: + for thisp in ${SECURE_PATH} ; do + for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done + newpath+=:${thisp} + done + SECURE_PATH=${newpath#:} + } + rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*' + + einfo "... done" +} + +src_configure() { + local SECURE_PATH + set_secure_path + + # audit: somebody got to explain me how I can test this before I + # enable it.. - Diego + # plugindir: autoconf code is crappy and does not delay evaluation + # until `make` time, so we have to use a full path here rather than + # basing off other values. + myeconfargs=( + # requires some python eclass + --disable-python + --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d + --enable-zlib=system + --with-editor="${EPREFIX}"/usr/libexec/editor + --with-env-editor + --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo + --with-rundir="${EPREFIX}"/run/sudo + --with-vardir="${EPREFIX}"/var/db/sudo + --without-linux-audit + --without-opie + $(use_enable gcrypt) + $(use_enable nls) + $(use_enable sasl) + $(use_enable ssl openssl) + $(use_with ldap) + $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo) + $(use_with offensive insults) + $(use_with offensive all-insults) + $(use_with pam) + $(use_with pam pam-login) + $(use_with secure-path secure-path "${SECURE_PATH}") + $(use_with selinux) + $(use_with sendmail) + $(use_with skey) + $(use_with sssd) + ) + + econf "${myeconfargs[@]}" +} + +src_install() { + default + + if use ldap ; then + dodoc README.LDAP + + cat <<-EOF > "${T}"/ldap.conf.sudo + # See ldap.conf(5) and README.LDAP for details + # This file should only be readable by root + + # supported directives: host, port, ssl, ldap_version + # uri, binddn, bindpw, sudoers_base, sudoers_debug + # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key} + EOF + + if use sasl ; then + cat <<-EOF >> "${T}"/ldap.conf.sudo + + # SASL directives: use_sasl, sasl_mech, sasl_auth_id + # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname + EOF + fi + + insinto /etc + doins "${T}"/ldap.conf.sudo + fperms 0440 /etc/ldap.conf.sudo + + insinto /etc/openldap/schema + newins doc/schema.OpenLDAP sudo.schema + fi + + pamd_mimic system-auth sudo auth account session + pamd_mimic system-auth sudo-i auth account session + + keepdir /var/db/sudo/lectured + fperms 0700 /var/db/sudo/lectured + fperms 0711 /var/db/sudo #652958 + + # Don't install into /run as that is a tmpfs most of the time + # (bug #504854) + rm -rf "${ED}"/run || die + + find "${ED}" -type f -name "*.la" -delete || die #697812 +} + +pkg_postinst() { + tmpfiles_process sudo.conf + + #652958 + local sudo_db="${EROOT}/var/db/sudo" + if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then + chmod 711 "${sudo_db}" || die + fi + + if use ldap ; then + ewarn + ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration." + ewarn + if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then + ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly" + ewarn "configured in /etc/nsswitch.conf." + ewarn + ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:" + ewarn " sudoers: ldap files" + ewarn + fi + fi + if use prefix ; then + ewarn + ewarn "To use sudo, you need to change file ownership and permissions" + ewarn "with root privileges, as follows:" + ewarn + ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo" + ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so" + ewarn " # chown root:root ${EPREFIX}/etc/sudoers" + ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d" + ewarn " # chown root:root ${EPREFIX}/var/db/sudo" + ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo" + ewarn + fi + + elog "To use the -A (askpass) option, you need to install a compatible" + elog "password program from the following list. Starred packages will" + elog "automatically register for the use with sudo (but will not force" + elog "the -A option):" + elog "" + elog " [*] net-misc/ssh-askpass-fullscreen" + elog " net-misc/x11-ssh-askpass" + elog "" + elog "You can override the choice by setting the SUDO_ASKPASS environmnent" + elog "variable to the program you want to use." +} |