Get Gentoo!
gentoo.org sites
gentoo.org Wiki Bugs Forums Packages
Planet Archives Sources
Infra Status
summaryrefslogtreecommitdiff
path: root/app-admin/sudo
diff options
context:
space:
mode:
Diffstat (limited to 'app-admin/sudo')
-rw-r--r--app-admin/sudo/Manifest4
-rw-r--r--app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch308
-rw-r--r--app-admin/sudo/metadata.xml4
-rw-r--r--app-admin/sudo/sudo-1.9.15_p5.ebuild (renamed from app-admin/sudo/sudo-1.9.2-r1.ebuild)141
-rw-r--r--app-admin/sudo/sudo-1.9.2.ebuild263
-rw-r--r--app-admin/sudo/sudo-1.9.3_p1.ebuild263
-rw-r--r--app-admin/sudo/sudo-9999.ebuild139
7 files changed, 168 insertions, 954 deletions
diff --git a/app-admin/sudo/Manifest b/app-admin/sudo/Manifest
index c2e61bee9440..90f9f2b10c40 100644
--- a/app-admin/sudo/Manifest
+++ b/app-admin/sudo/Manifest
@@ -1,2 +1,2 @@
-DIST sudo-1.9.2.tar.gz 3890859 BLAKE2B 879917b8045c999a17ef36006732509aa546ee6bb04de77191fb637aa0420d54f9e51ec69b697c22119d638393e9c84efcc1ca5e6e8ee5f0c08bb1ca07f3acea SHA512 20afdf2604b1c93395157382b24f225cd1ff88d3a892362e2d69fecd240c4e7171f05032c08be1778cd1dea6e460025e4241f57272fac0ea3550e220b6d73d21
-DIST sudo-1.9.3p1.tar.gz 3958071 BLAKE2B b681c120faa5dc7f25e27c1be423d68cea70f63dcdfea2183fd386a34dec0376555453399d3f8886c66c6507343648d40b59a058710432154061b210df2a704c SHA512 3ad13fd03e5b371fd6bf7909731ffc11431d2182a744b654f7e5d4b810e47955d49bc78f551afe13ec56acbce694139c33a15bc022cea41b17af5496b8b7f89f
+DIST sudo-1.9.15p5.tar.gz 5306611 BLAKE2B 73ee598c2a2848d5be24f97492b13eba2f326c514799220e43a1aeafc6692224a7555fb7cc0a96a2720751d3e4d98e752804db589ac3c1476f24e71f5b9bc720 SHA512 ebac69719de2fe7bd587924701bdd24149bf376a68b17ec02f69b2b96d4bb6fa5eb8260a073ec5ea046d3ac69bb5b1c0b9d61709fe6a56f1f66e40817a70b15a
+DIST sudo-1.9.15p5.tar.gz.sig 566 BLAKE2B ddd8fed1b3721aafdb32b762834168063c3f0f003ef5d83f1883615320da6fe89b08d72c8e893c8b2bf9fd892a40e47cc77d72672e43b5a24db50e7194d9bc4c SHA512 97480a3d27b546a93e997c3a1e8169904a7625ab8fa6198d0b7e1d2d040f55b2d58462cd08e5cc97c2f1c817b12343e35cdd7db207aee42785f2b95b17c600b0
diff --git a/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch b/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch
deleted file mode 100644
index 6134fe736d00..000000000000
--- a/app-admin/sudo/files/sudo-1.9.2-glibc-2.32.patch
+++ /dev/null
@@ -1,308 +0,0 @@
-
-# HG changeset patch
-# User Todd C. Miller <Todd.Miller@sudo.ws>
-# Date 1598395693 21600
-# Node ID e30482f26924b07775d87ae591e54ad72e794d5e
-# Parent 1ede927d99b3cb06ba514c9fd2fd7fa9a014a1b2
-Use sigabbrev_np(3) to access signal abbreviations if supported.
-glibc-2.32 has removed sys_sigabbrev[], we can use sigabbrev_np(3) instead.
-
-diff -r 1ede927d99b3 -r e30482f26924 config.h.in
---- a/config.h.in Mon Aug 17 19:37:09 2020 -0600
-+++ b/config.h.in Tue Aug 25 16:48:13 2020 -0600
-@@ -740,6 +740,9 @@
- /* Define to 1 if you have the `sig2str' function. */
- #undef HAVE_SIG2STR
-
-+/* Define to 1 if you have the `sigabbrev_np' function. */
-+#undef HAVE_SIGABBREV_NP
-+
- /* Define to 1 if you use S/Key. */
- #undef HAVE_SKEY
-
-diff -r 1ede927d99b3 -r e30482f26924 configure
---- a/configure Mon Aug 17 19:37:09 2020 -0600
-+++ b/configure Tue Aug 25 16:48:13 2020 -0600
-@@ -23687,9 +23687,21 @@
-
-
- if test x"${ac_cv_func_sig2str}${ac_cv_func_str2sig}" != x"yesyes"; then
-- COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
-- HAVE_SIGNAME="false"
-- ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" "
-+ for ac_func in sigabbrev_np
-+do :
-+ ac_fn_c_check_func "$LINENO" "sigabbrev_np" "ac_cv_func_sigabbrev_np"
-+if test "x$ac_cv_func_sigabbrev_np" = xyes; then :
-+ cat >>confdefs.h <<_ACEOF
-+#define HAVE_SIGABBREV_NP 1
-+_ACEOF
-+
-+fi
-+done
-+
-+ if test x"${ac_cv_func_sigabbrev_np}" != x"yes"; then
-+ COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
-+ HAVE_SIGNAME="false"
-+ ac_fn_c_check_decl "$LINENO" "sys_signame" "ac_cv_have_decl_sys_signame" "
- $ac_includes_default
- #include <signal.h>
-
-@@ -23705,7 +23717,7 @@
- _ACEOF
- if test $ac_have_decl = 1; then :
-
-- HAVE_SIGNAME="true"
-+ HAVE_SIGNAME="true"
-
- fi
- ac_fn_c_check_decl "$LINENO" "_sys_signame" "ac_cv_have_decl__sys_signame" "
-@@ -23724,7 +23736,7 @@
- _ACEOF
- if test $ac_have_decl = 1; then :
-
-- HAVE_SIGNAME="true"
-+ HAVE_SIGNAME="true"
-
- fi
- ac_fn_c_check_decl "$LINENO" "sys_sigabbrev" "ac_cv_have_decl_sys_sigabbrev" "
-@@ -23743,12 +23755,12 @@
- _ACEOF
- if test $ac_have_decl = 1; then :
-
-- HAVE_SIGNAME="true"
--
--fi
--
-- if test "$HAVE_SIGNAME" != "true"; then
-- { $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5
-+ HAVE_SIGNAME="true"
-+
-+fi
-+
-+ if test "$HAVE_SIGNAME" != "true"; then
-+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking for undeclared sys_sigabbrev" >&5
- $as_echo_n "checking for undeclared sys_sigabbrev... " >&6; }
- if ${sudo_cv_var_sys_sigabbrev+:} false; then :
- $as_echo_n "(cached) " >&6
-@@ -23777,17 +23789,18 @@
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_sys_sigabbrev" >&5
- $as_echo "$sudo_cv_var_sys_sigabbrev" >&6; }
-- if test "$sudo_cv_var_sys_sigabbrev" = yes; then
-- $as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h
--
-- else
-- case " $LIBOBJS " in
-+ if test "$sudo_cv_var_sys_sigabbrev" = yes; then
-+ $as_echo "#define HAVE_SYS_SIGABBREV 1" >>confdefs.h
-+
-+ else
-+ case " $LIBOBJS " in
- *" signame.$ac_objext "* ) ;;
- *) LIBOBJS="$LIBOBJS signame.$ac_objext"
- ;;
- esac
-
-- SIGNAME=signame.lo
-+ SIGNAME=signame.lo
-+ fi
- fi
- fi
- fi
-diff -r 1ede927d99b3 -r e30482f26924 configure.ac
---- a/configure.ac Mon Aug 17 19:37:09 2020 -0600
-+++ b/configure.ac Tue Aug 25 16:48:13 2020 -0600
-@@ -3498,29 +3498,32 @@
- dnl Also enable unit tests for sig2str() and str2sig().
- dnl
- if test x"${ac_cv_func_sig2str}${ac_cv_func_str2sig}" != x"yesyes"; then
-- COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
-- HAVE_SIGNAME="false"
-- AC_CHECK_DECLS([sys_signame, _sys_signame, sys_sigabbrev], [
-- HAVE_SIGNAME="true"
-- ], [ ], [
-+ AC_CHECK_FUNCS([sigabbrev_np])
-+ if test x"${ac_cv_func_sigabbrev_np}" != x"yes"; then
-+ COMPAT_TEST_PROGS="${COMPAT_TEST_PROGS}${COMPAT_TEST_PROGS+ }strsig_test"
-+ HAVE_SIGNAME="false"
-+ AC_CHECK_DECLS([sys_signame, _sys_signame, sys_sigabbrev], [
-+ HAVE_SIGNAME="true"
-+ ], [ ], [
- AC_INCLUDES_DEFAULT
- #include <signal.h>
-- ])
-- if test "$HAVE_SIGNAME" != "true"; then
-- AC_CACHE_CHECK([for undeclared sys_sigabbrev],
-- [sudo_cv_var_sys_sigabbrev],
-- [AC_LINK_IFELSE(
-- [AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])],
-- [sudo_cv_var_sys_sigabbrev=yes],
-- [sudo_cv_var_sys_sigabbrev=no]
-- )
-- ]
-- )
-- if test "$sudo_cv_var_sys_sigabbrev" = yes; then
-- AC_DEFINE(HAVE_SYS_SIGABBREV)
-- else
-- AC_LIBOBJ(signame)
-- SIGNAME=signame.lo
-+ ])
-+ if test "$HAVE_SIGNAME" != "true"; then
-+ AC_CACHE_CHECK([for undeclared sys_sigabbrev],
-+ [sudo_cv_var_sys_sigabbrev],
-+ [AC_LINK_IFELSE(
-+ [AC_LANG_PROGRAM([[extern char **sys_sigabbrev;]], [[return sys_sigabbrev[1];]])],
-+ [sudo_cv_var_sys_sigabbrev=yes],
-+ [sudo_cv_var_sys_sigabbrev=no]
-+ )
-+ ]
-+ )
-+ if test "$sudo_cv_var_sys_sigabbrev" = yes; then
-+ AC_DEFINE(HAVE_SYS_SIGABBREV)
-+ else
-+ AC_LIBOBJ(signame)
-+ SIGNAME=signame.lo
-+ fi
- fi
- fi
- fi
-diff -r 1ede927d99b3 -r e30482f26924 lib/util/sig2str.c
---- a/lib/util/sig2str.c Mon Aug 17 19:37:09 2020 -0600
-+++ b/lib/util/sig2str.c Tue Aug 25 16:48:13 2020 -0600
-@@ -1,7 +1,7 @@
- /*
- * SPDX-License-Identifier: ISC
- *
-- * Copyright (c) 2012-2015, 2017-2019 Todd C. Miller <Todd.Miller@sudo.ws>
-+ * Copyright (c) 2012-2015, 2017-2020 Todd C. Miller <Todd.Miller@sudo.ws>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -32,20 +32,24 @@
- #include <unistd.h>
-
- #include "sudo_compat.h"
-+#include "sudo_util.h"
-
--#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
--# define sudo_sys_signame sys_signame
--#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
--# define sudo_sys_signame _sys_signame
--#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1
--# define sudo_sys_signame sys_sigabbrev
--#else
--# ifdef HAVE_SYS_SIGABBREV
-- /* sys_sigabbrev is not declared by glibc */
--# define sudo_sys_signame sys_sigabbrev
-+#if !defined(HAVE_SIGABBREV_NP)
-+# if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
-+# define sigabbrev_np(_x) sys_signame[(_x)]
-+# elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
-+# define sigabbrev_np(_x) _sys_signame[(_x)]
-+# elif defined(HAVE_SYS_SIGABBREV)
-+# define sigabbrev_np(_x) sys_sigabbrev[(_x)]
-+# if defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 0
-+ /* sys_sigabbrev is not declared by glibc */
-+ extern const char *const sys_sigabbrev[NSIG];
-+# endif
-+# else
-+# define sigabbrev_np(_x) sudo_sys_signame[(_x)]
-+ extern const char *const sudo_sys_signame[NSIG];
- # endif
--extern const char *const sudo_sys_signame[NSIG];
--#endif
-+#endif /* !HAVE_SIGABBREV_NP */
-
- /*
- * Translate signal number to name.
-@@ -77,15 +81,18 @@
- return 0;
- }
- #endif
-- if (signo > 0 && signo < NSIG && sudo_sys_signame[signo] != NULL) {
-- strlcpy(signame, sudo_sys_signame[signo], SIG2STR_MAX);
-- /* Make sure we always return an upper case signame. */
-- if (islower((unsigned char)signame[0])) {
-- int i;
-- for (i = 0; signame[i] != '\0'; i++)
-- signame[i] = toupper((unsigned char)signame[i]);
-+ if (signo > 0 && signo < NSIG) {
-+ const char *cp = sigabbrev_np(signo);
-+ if (cp != NULL) {
-+ strlcpy(signame, cp, SIG2STR_MAX);
-+ /* Make sure we always return an upper case signame. */
-+ if (islower((unsigned char)signame[0])) {
-+ int i;
-+ for (i = 0; signame[i] != '\0'; i++)
-+ signame[i] = toupper((unsigned char)signame[i]);
-+ }
-+ return 0;
- }
-- return 0;
- }
- errno = EINVAL;
- return -1;
-diff -r 1ede927d99b3 -r e30482f26924 lib/util/str2sig.c
---- a/lib/util/str2sig.c Mon Aug 17 19:37:09 2020 -0600
-+++ b/lib/util/str2sig.c Tue Aug 25 16:48:13 2020 -0600
-@@ -1,7 +1,7 @@
- /*
- * SPDX-License-Identifier: ISC
- *
-- * Copyright (c) 2019 Todd C. Miller <Todd.Miller@sudo.ws>
-+ * Copyright (c) 2019-2020 Todd C. Miller <Todd.Miller@sudo.ws>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
-@@ -37,19 +37,22 @@
- #include "sudo_compat.h"
- #include "sudo_util.h"
-
--#if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
--# define sudo_sys_signame sys_signame
--#elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
--# define sudo_sys_signame _sys_signame
--#elif defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 1
--# define sudo_sys_signame sys_sigabbrev
--#else
--# ifdef HAVE_SYS_SIGABBREV
-- /* sys_sigabbrev is not declared by glibc */
--# define sudo_sys_signame sys_sigabbrev
-+#if !defined(HAVE_SIGABBREV_NP)
-+# if defined(HAVE_DECL_SYS_SIGNAME) && HAVE_DECL_SYS_SIGNAME == 1
-+# define sigabbrev_np(_x) sys_signame[(_x)]
-+# elif defined(HAVE_DECL__SYS_SIGNAME) && HAVE_DECL__SYS_SIGNAME == 1
-+# define sigabbrev_np(_x) _sys_signame[(_x)]
-+# elif defined(HAVE_SYS_SIGABBREV)
-+# define sigabbrev_np(_x) sys_sigabbrev[(_x)]
-+# if defined(HAVE_DECL_SYS_SIGABBREV) && HAVE_DECL_SYS_SIGABBREV == 0
-+ /* sys_sigabbrev is not declared by glibc */
-+ extern const char *const sys_sigabbrev[NSIG];
-+# endif
-+# else
-+# define sigabbrev_np(_x) sudo_sys_signame[(_x)]
-+ extern const char *const sudo_sys_signame[NSIG];
- # endif
--extern const char *const sudo_sys_signame[NSIG];
--#endif
-+#endif /* !HAVE_SIGABBREV_NP */
-
- /*
- * Many systems use aliases for source backward compatibility.
-@@ -154,11 +157,11 @@
- }
- }
-
-- /* Check sys_signame[]. */
- for (signo = 1; signo < NSIG; signo++) {
-- if (sudo_sys_signame[signo] != NULL) {
-+ const char *cp = sigabbrev_np(signo);
-+ if (cp != NULL) {
- /* On macOS sys_signame[] may contain lower-case names. */
-- if (strcasecmp(signame, sudo_sys_signame[signo]) == 0) {
-+ if (strcasecmp(signame, cp) == 0) {
- *result = signo;
- return 0;
- }
-
diff --git a/app-admin/sudo/metadata.xml b/app-admin/sudo/metadata.xml
index a99f4f7e613f..7660289e000f 100644
--- a/app-admin/sudo/metadata.xml
+++ b/app-admin/sudo/metadata.xml
@@ -1,5 +1,5 @@
<?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
+<!DOCTYPE pkgmetadata SYSTEM "https://www.gentoo.org/dtd/metadata.dtd">
<pkgmetadata>
<maintainer type="project">
<email>base-system@gentoo.org</email>
@@ -13,7 +13,6 @@
</longdescription>
<use>
<flag name="gcrypt">Use message digest functions from <pkg>dev-libs/libgcrypt</pkg> instead of sudo's</flag>
- <flag name="libressl">Use message digest functions from <pkg>dev-libs/libressl</pkg> instead of sudo's</flag>
<flag name="offensive">Let sudo print insults when the user types the wrong password</flag>
<flag name="sendmail">Allow sudo to send emails with sendmail</flag>
<flag name="sssd">Add System Security Services Daemon support</flag>
@@ -21,5 +20,6 @@
</use>
<upstream>
<remote-id type="cpe">cpe:/a:todd_miller:sudo</remote-id>
+ <remote-id type="github">sudo-project/sudo</remote-id>
</upstream>
</pkgmetadata>
diff --git a/app-admin/sudo/sudo-1.9.2-r1.ebuild b/app-admin/sudo/sudo-1.9.15_p5.ebuild
index 1f1f6e60dd34..b130fe70e0ad 100644
--- a/app-admin/sudo/sudo-1.9.2-r1.ebuild
+++ b/app-admin/sudo/sudo-1.9.15_p5.ebuild
@@ -1,54 +1,68 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=7
+EAPI=8
-inherit pam multilib libtool systemd tmpfiles
+inherit pam libtool tmpfiles toolchain-funcs
MY_P="${P/_/}"
MY_P="${MY_P/beta/b}"
DESCRIPTION="Allows users or groups to run commands as other users"
HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
+
+if [[ ${PV} == 9999 ]] ; then
inherit mercurial
EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
+ inherit verify-sig
+
uri_prefix=
case ${P} in
*_beta*|*_rc*) uri_prefix=beta/ ;;
esac
- SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
- if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris"
+ SRC_URI="
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+ verify-sig? (
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
+ KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~loong ~m68k ~mips ppc ppc64 ~riscv ~s390 sparc x86"
fi
+
+ BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
fi
+S="${WORKDIR}/${MY_P}"
+
# Basic license is ISC-style as-is, some files are released under
# 3-clause BSD license
LICENSE="ISC BSD"
SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
DEPEND="
sys-libs/zlib:=
+ virtual/libcrypt:=
gcrypt? ( dev-libs/libgcrypt:= )
ldap? (
- >=net-nds/openldap-2.1.30-r1
+ >=net-nds/openldap-2.1.30-r1:=
sasl? (
dev-libs/cyrus-sasl
- net-nds/openldap[sasl]
+ net-nds/openldap:=[sasl]
)
)
pam? ( sys-libs/pam )
sasl? ( dev-libs/cyrus-sasl )
+ selinux? ( sys-libs/libselinux )
skey? ( >=sys-auth/skey-1.1.5-r1 )
- ssl? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
+ ssl? ( dev-libs/openssl:= )
sssd? ( sys-auth/sssd[sudo] )
"
RDEPEND="
@@ -60,49 +74,41 @@ RDEPEND="
selinux? ( sec-policy/selinux-sudo )
sendmail? ( virtual/mta )
"
-BDEPEND="
- sys-devel/bison
+BDEPEND+="
+ app-alternatives/yacc
virtual/pkgconfig
"
-S="${WORKDIR}/${MY_P}"
-
REQUIRED_USE="
- pam? ( !skey )
- skey? ( !pam )
+ ?? ( pam skey )
+ ?? ( gcrypt ssl )
"
-REQUIRED_USE="?? ( gcrypt ssl )"
-
MAKEOPTS+=" SAMPLES="
-PATCHES=( "${FILESDIR}/${P}-glibc-2.32.patch" ) # drop for releases after 1.9.2
-
src_prepare() {
default
+
elibtoolize
}
set_secure_path() {
- # FIXME: secure_path is a compile time setting. using PATH or
- # ROOTPATH is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
- echo "${ROOTPATH}")
- case "${SECURE_PATH}" in
- */usr/sbin*) ;;
- *) SECURE_PATH=$(unset PATH;
- . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
+ # First extract the default ROOTPATH from build env
+ SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+ case "${SECURE_PATH}" in
+ */usr/sbin*)
+ ;;
+ *)
+ SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+ ;;
+ esac
+
if [[ -z ${SECURE_PATH} ]] ; then
ewarn " Failed to detect SECURE_PATH, please report this"
fi
- # then remove duplicate path entries
+ # Then remove duplicate path entries
cleanpath() {
local newpath thisp IFS=:
for thisp in $1 ; do
@@ -114,32 +120,43 @@ set_secure_path() {
done
SECURE_PATH=${newpath#:}
}
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+ cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
- # finally, strip gcc paths #136027
+ # Finally, strip gcc paths, bug #136027
rmpath() {
local e newpath thisp IFS=:
for thisp in ${SECURE_PATH} ; do
- for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
+ for e ; do
+ [[ ${thisp} == ${e} ]] && continue 2 ;
+ done
newpath+=:${thisp}
done
SECURE_PATH=${newpath#:}
}
rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
}
src_configure() {
local SECURE_PATH
+
set_secure_path
- # audit: somebody got to explain me how I can test this before I
+ # bug #767712
+ tc-export PKG_CONFIG
+
+ # - audit: somebody got to explain me how I can test this before I
# enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
+ # - plugindir: autoconf code is crappy and does not delay evaluation
# until `make` time, so we have to use a full path here rather than
# basing off other values.
- myeconfargs=(
+ local myeconfargs=(
+ # We set all of the relevant options by ourselves (patched
+ # into the toolchain) and setting these in the build system
+ # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+ # (it'll downgrade to =2). So, this has no functional effect on
+ # the hardening for users. It's safe.
+ --disable-hardening
+
# requires some python eclass
--disable-python
--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
@@ -175,10 +192,10 @@ src_install() {
default
if use ldap ; then
- dodoc README.LDAP
+ dodoc README.LDAP.md
cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
+ # See ldap.conf(5) and README.LDAP.md for details
# This file should only be readable by root
# supported directives: host, port, ssl, ldap_version
@@ -199,27 +216,31 @@ src_install() {
fperms 0440 /etc/ldap.conf.sudo
insinto /etc/openldap/schema
- newins doc/schema.OpenLDAP sudo.schema
+ newins docs/schema.OpenLDAP sudo.schema
fi
- pamd_mimic system-auth sudo auth account session
- pamd_mimic system-auth sudo-i auth account session
+ if use pam ; then
+ pamd_mimic system-auth sudo auth account session
+ pamd_mimic system-auth sudo-i auth account session
+ fi
keepdir /var/db/sudo/lectured
fperms 0700 /var/db/sudo/lectured
- fperms 0711 /var/db/sudo #652958
+ # bug #652958
+ fperms 0711 /var/db/sudo
# Don't install into /run as that is a tmpfs most of the time
# (bug #504854)
rm -rf "${ED}"/run || die
- find "${ED}" -type f -name "*.la" -delete || die #697812
+ # bug #697812
+ find "${ED}" -type f -name "*.la" -delete || die
}
pkg_postinst() {
tmpfiles_process sudo.conf
- #652958
+ # bug #652958
local sudo_db="${EROOT}/var/db/sudo"
if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
chmod 711 "${sudo_db}" || die
@@ -227,20 +248,20 @@ pkg_postinst() {
if use ldap ; then
ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
+ ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
ewarn
if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
+ ewarn "configured in ${ROOT}/etc/nsswitch.conf."
ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
+ ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
ewarn " sudoers: ldap files"
ewarn
fi
fi
if use prefix ; then
ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
+ ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
ewarn "with root privileges, as follows:"
ewarn
ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
diff --git a/app-admin/sudo/sudo-1.9.2.ebuild b/app-admin/sudo/sudo-1.9.2.ebuild
deleted file mode 100644
index ff902d2d4e1d..000000000000
--- a/app-admin/sudo/sudo-1.9.2.ebuild
+++ /dev/null
@@ -1,263 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool systemd tmpfiles
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
- inherit mercurial
- EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
- uri_prefix=
- case ${P} in
- *_beta*|*_rc*) uri_prefix=beta/ ;;
- esac
-
- SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
- if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha amd64 arm arm64 hppa ~ia64 ~m68k ~mips ppc ppc64 s390 sparc x86 ~sparc-solaris"
- fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
- sys-libs/zlib:=
- gcrypt? ( dev-libs/libgcrypt:= )
- ldap? (
- >=net-nds/openldap-2.1.30-r1
- sasl? (
- dev-libs/cyrus-sasl
- net-nds/openldap[sasl]
- )
- )
- pam? ( sys-libs/pam )
- sasl? ( dev-libs/cyrus-sasl )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- ssl? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
- sssd? ( sys-auth/sssd[sudo] )
-"
-RDEPEND="
- ${DEPEND}
- >=app-misc/editor-wrapper-3
- virtual/editor
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- selinux? ( sec-policy/selinux-sudo )
- sendmail? ( virtual/mta )
-"
-BDEPEND="
- sys-devel/bison
- virtual/pkgconfig
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
- pam? ( !skey )
- skey? ( !pam )
-"
-
-REQUIRED_USE="?? ( gcrypt ssl )"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
- default
- elibtoolize
-}
-
-set_secure_path() {
- # FIXME: secure_path is a compile time setting. using PATH or
- # ROOTPATH is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
- echo "${ROOTPATH}")
- case "${SECURE_PATH}" in
- */usr/sbin*) ;;
- *) SECURE_PATH=$(unset PATH;
- . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
- if [[ -z ${SECURE_PATH} ]] ; then
- ewarn " Failed to detect SECURE_PATH, please report this"
- fi
-
- # then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:${thisp}
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- SECURE_PATH=${newpath#:}
- }
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
- # finally, strip gcc paths #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${SECURE_PATH} ; do
- for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
- newpath+=:${thisp}
- done
- SECURE_PATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
-}
-
-src_configure() {
- local SECURE_PATH
- set_secure_path
-
- # audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- myeconfargs=(
- # requires some python eclass
- --disable-python
- --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
- --enable-zlib=system
- --with-editor="${EPREFIX}"/usr/libexec/editor
- --with-env-editor
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
- --with-rundir="${EPREFIX}"/run/sudo
- --with-vardir="${EPREFIX}"/var/db/sudo
- --without-linux-audit
- --without-opie
- $(use_enable gcrypt)
- $(use_enable nls)
- $(use_enable sasl)
- $(use_enable ssl openssl)
- $(use_with ldap)
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
- $(use_with offensive insults)
- $(use_with offensive all-insults)
- $(use_with pam)
- $(use_with pam pam-login)
- $(use_with secure-path secure-path "${SECURE_PATH}")
- $(use_with selinux)
- $(use_with sendmail)
- $(use_with skey)
- $(use_with sssd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
- EOF
-
- if use sasl ; then
- cat <<-EOF >> "${T}"/ldap.conf.sudo
-
- # SASL directives: use_sasl, sasl_mech, sasl_auth_id
- # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
- EOF
- fi
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
-
- insinto /etc/openldap/schema
- newins doc/schema.OpenLDAP sudo.schema
- fi
-
- pamd_mimic system-auth sudo auth account session
- pamd_mimic system-auth sudo-i auth account session
-
- keepdir /var/db/sudo/lectured
- fperms 0700 /var/db/sudo/lectured
- fperms 0711 /var/db/sudo #652958
-
- # Don't install into /run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${ED}"/run || die
-
- find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
- tmpfiles_process sudo.conf
-
- #652958
- local sudo_db="${EROOT}/var/db/sudo"
- if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
- chmod 711 "${sudo_db}" || die
- fi
-
- if use ldap ; then
- ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-1.9.3_p1.ebuild b/app-admin/sudo/sudo-1.9.3_p1.ebuild
deleted file mode 100644
index d0873828489a..000000000000
--- a/app-admin/sudo/sudo-1.9.3_p1.ebuild
+++ /dev/null
@@ -1,263 +0,0 @@
-# Copyright 1999-2020 Gentoo Authors
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=7
-
-inherit pam multilib libtool systemd tmpfiles
-
-MY_P="${P/_/}"
-MY_P="${MY_P/beta/b}"
-
-DESCRIPTION="Allows users or groups to run commands as other users"
-HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
- inherit mercurial
- EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
-else
- uri_prefix=
- case ${P} in
- *_beta*|*_rc*) uri_prefix=beta/ ;;
- esac
-
- SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
- if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris"
- fi
-fi
-
-# Basic license is ISC-style as-is, some files are released under
-# 3-clause BSD license
-LICENSE="ISC BSD"
-SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
-
-DEPEND="
- sys-libs/zlib:=
- gcrypt? ( dev-libs/libgcrypt:= )
- ldap? (
- >=net-nds/openldap-2.1.30-r1
- sasl? (
- dev-libs/cyrus-sasl
- net-nds/openldap[sasl]
- )
- )
- pam? ( sys-libs/pam )
- sasl? ( dev-libs/cyrus-sasl )
- skey? ( >=sys-auth/skey-1.1.5-r1 )
- ssl? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
- sssd? ( sys-auth/sssd[sudo] )
-"
-RDEPEND="
- ${DEPEND}
- >=app-misc/editor-wrapper-3
- virtual/editor
- ldap? ( dev-lang/perl )
- pam? ( sys-auth/pambase )
- selinux? ( sec-policy/selinux-sudo )
- sendmail? ( virtual/mta )
-"
-BDEPEND="
- sys-devel/bison
- virtual/pkgconfig
-"
-
-S="${WORKDIR}/${MY_P}"
-
-REQUIRED_USE="
- pam? ( !skey )
- skey? ( !pam )
-"
-
-REQUIRED_USE="?? ( gcrypt ssl )"
-
-MAKEOPTS+=" SAMPLES="
-
-src_prepare() {
- default
- elibtoolize
-}
-
-set_secure_path() {
- # FIXME: secure_path is a compile time setting. using PATH or
- # ROOTPATH is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
- echo "${ROOTPATH}")
- case "${SECURE_PATH}" in
- */usr/sbin*) ;;
- *) SECURE_PATH=$(unset PATH;
- . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
- if [[ -z ${SECURE_PATH} ]] ; then
- ewarn " Failed to detect SECURE_PATH, please report this"
- fi
-
- # then remove duplicate path entries
- cleanpath() {
- local newpath thisp IFS=:
- for thisp in $1 ; do
- if [[ :${newpath}: != *:${thisp}:* ]] ; then
- newpath+=:${thisp}
- else
- einfo " Duplicate entry ${thisp} removed..."
- fi
- done
- SECURE_PATH=${newpath#:}
- }
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
-
- # finally, strip gcc paths #136027
- rmpath() {
- local e newpath thisp IFS=:
- for thisp in ${SECURE_PATH} ; do
- for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
- newpath+=:${thisp}
- done
- SECURE_PATH=${newpath#:}
- }
- rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
-}
-
-src_configure() {
- local SECURE_PATH
- set_secure_path
-
- # audit: somebody got to explain me how I can test this before I
- # enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
- # until `make` time, so we have to use a full path here rather than
- # basing off other values.
- myeconfargs=(
- # requires some python eclass
- --disable-python
- --enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
- --enable-zlib=system
- --with-editor="${EPREFIX}"/usr/libexec/editor
- --with-env-editor
- --with-plugindir="${EPREFIX}"/usr/$(get_libdir)/sudo
- --with-rundir="${EPREFIX}"/run/sudo
- --with-vardir="${EPREFIX}"/var/db/sudo
- --without-linux-audit
- --without-opie
- $(use_enable gcrypt)
- $(use_enable nls)
- $(use_enable sasl)
- $(use_enable ssl openssl)
- $(use_with ldap)
- $(use_with ldap ldap_conf_file /etc/ldap.conf.sudo)
- $(use_with offensive insults)
- $(use_with offensive all-insults)
- $(use_with pam)
- $(use_with pam pam-login)
- $(use_with secure-path secure-path "${SECURE_PATH}")
- $(use_with selinux)
- $(use_with sendmail)
- $(use_with skey)
- $(use_with sssd)
- )
-
- econf "${myeconfargs[@]}"
-}
-
-src_install() {
- default
-
- if use ldap ; then
- dodoc README.LDAP
-
- cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
- # This file should only be readable by root
-
- # supported directives: host, port, ssl, ldap_version
- # uri, binddn, bindpw, sudoers_base, sudoers_debug
- # tls_{checkpeer,cacertfile,cacertdir,randfile,ciphers,cert,key}
- EOF
-
- if use sasl ; then
- cat <<-EOF >> "${T}"/ldap.conf.sudo
-
- # SASL directives: use_sasl, sasl_mech, sasl_auth_id
- # sasl_secprops, rootuse_sasl, rootsasl_auth_id, krb5_ccname
- EOF
- fi
-
- insinto /etc
- doins "${T}"/ldap.conf.sudo
- fperms 0440 /etc/ldap.conf.sudo
-
- insinto /etc/openldap/schema
- newins doc/schema.OpenLDAP sudo.schema
- fi
-
- pamd_mimic system-auth sudo auth account session
- pamd_mimic system-auth sudo-i auth account session
-
- keepdir /var/db/sudo/lectured
- fperms 0700 /var/db/sudo/lectured
- fperms 0711 /var/db/sudo #652958
-
- # Don't install into /run as that is a tmpfs most of the time
- # (bug #504854)
- rm -rf "${ED}"/run || die
-
- find "${ED}" -type f -name "*.la" -delete || die #697812
-}
-
-pkg_postinst() {
- tmpfiles_process sudo.conf
-
- #652958
- local sudo_db="${EROOT}/var/db/sudo"
- if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
- chmod 711 "${sudo_db}" || die
- fi
-
- if use ldap ; then
- ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
- ewarn
- if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
- ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
- ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
- ewarn " sudoers: ldap files"
- ewarn
- fi
- fi
- if use prefix ; then
- ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
- ewarn "with root privileges, as follows:"
- ewarn
- ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"
- ewarn " # chown root:root ${EPREFIX}/usr/lib/sudo/sudoers.so"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers"
- ewarn " # chown root:root ${EPREFIX}/etc/sudoers.d"
- ewarn " # chown root:root ${EPREFIX}/var/db/sudo"
- ewarn " # chmod 4111 ${EPREFIX}/usr/bin/sudo"
- ewarn
- fi
-
- elog "To use the -A (askpass) option, you need to install a compatible"
- elog "password program from the following list. Starred packages will"
- elog "automatically register for the use with sudo (but will not force"
- elog "the -A option):"
- elog ""
- elog " [*] net-misc/ssh-askpass-fullscreen"
- elog " net-misc/x11-ssh-askpass"
- elog ""
- elog "You can override the choice by setting the SUDO_ASKPASS environmnent"
- elog "variable to the program you want to use."
-}
diff --git a/app-admin/sudo/sudo-9999.ebuild b/app-admin/sudo/sudo-9999.ebuild
index 7d0daa6f3504..8f632cd98d7b 100644
--- a/app-admin/sudo/sudo-9999.ebuild
+++ b/app-admin/sudo/sudo-9999.ebuild
@@ -1,55 +1,69 @@
-# Copyright 1999-2020 Gentoo Authors
+# Copyright 1999-2024 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
-EAPI=7
+EAPI=8
-inherit pam multilib libtool tmpfiles
+inherit pam libtool tmpfiles toolchain-funcs
MY_P="${P/_/}"
MY_P="${MY_P/beta/b}"
DESCRIPTION="Allows users or groups to run commands as other users"
HOMEPAGE="https://www.sudo.ws/"
-if [[ ${PV} == "9999" ]] ; then
+
+if [[ ${PV} == 9999 ]] ; then
inherit mercurial
EHG_REPO_URI="https://www.sudo.ws/repos/sudo"
else
+ VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/sudo.ws.asc
+ inherit verify-sig
+
uri_prefix=
case ${P} in
*_beta*|*_rc*) uri_prefix=beta/ ;;
esac
- SRC_URI="https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
- ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz"
- if [[ ${PV} != *_beta* ]] && [[ ${PV} != *_rc* ]] ; then
- KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sparc ~x86 ~sparc-solaris"
+ SRC_URI="
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz
+ verify-sig? (
+ https://www.sudo.ws/sudo/dist/${uri_prefix}${MY_P}.tar.gz.sig
+ ftp://ftp.sudo.ws/pub/sudo/${uri_prefix}${MY_P}.tar.gz.sig
+ )
+ "
+
+ if [[ ${PV} != *_beta* && ${PV} != *_rc* ]] ; then
+ KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~loong ~m68k ~mips ~ppc ~ppc64 ~riscv ~s390 ~sparc ~x86"
fi
+
+ BDEPEND="verify-sig? ( sec-keys/openpgp-keys-sudo )"
fi
+S="${WORKDIR}/${MY_P}"
+
# Basic license is ISC-style as-is, some files are released under
# 3-clause BSD license
LICENSE="ISC BSD"
SLOT="0"
-IUSE="gcrypt ldap libressl nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
+IUSE="gcrypt ldap nls offensive pam sasl +secure-path selinux +sendmail skey ssl sssd"
DEPEND="
sys-libs/zlib:=
+ virtual/libcrypt:=
gcrypt? ( dev-libs/libgcrypt:= )
ldap? (
- >=net-nds/openldap-2.1.30-r1
+ >=net-nds/openldap-2.1.30-r1:=
sasl? (
dev-libs/cyrus-sasl
- net-nds/openldap[sasl]
+ net-nds/openldap:=[sasl]
)
)
pam? ( sys-libs/pam )
sasl? ( dev-libs/cyrus-sasl )
+ selinux? ( sys-libs/libselinux )
skey? ( >=sys-auth/skey-1.1.5-r1 )
- ssl? (
- !libressl? ( dev-libs/openssl:0= )
- libressl? ( dev-libs/libressl:0= )
- )
- sssd? ( sys-auth/sssd[sudo(+)] )
+ ssl? ( dev-libs/openssl:= )
+ sssd? ( sys-auth/sssd[sudo] )
"
RDEPEND="
${DEPEND}
@@ -60,44 +74,41 @@ RDEPEND="
selinux? ( sec-policy/selinux-sudo )
sendmail? ( virtual/mta )
"
-BDEPEND="
- sys-devel/bison
+BDEPEND+="
+ app-alternatives/yacc
+ virtual/pkgconfig
"
-S="${WORKDIR}/${MY_P}"
-
REQUIRED_USE="
- pam? ( !skey )
- skey? ( !pam )
+ ?? ( pam skey )
+ ?? ( gcrypt ssl )
"
MAKEOPTS+=" SAMPLES="
src_prepare() {
default
+
elibtoolize
}
set_secure_path() {
- # FIXME: secure_path is a compile time setting. using PATH or
- # ROOTPATH is not perfect, env-update may invalidate this, but until it
- # is available as a sudoers setting this will have to do.
- einfo "Setting secure_path ..."
-
- # first extract the default ROOTPATH from build env
- SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env;
- echo "${ROOTPATH}")
- case "${SECURE_PATH}" in
- */usr/sbin*) ;;
- *) SECURE_PATH=$(unset PATH;
- . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
- ;;
- esac
+ # First extract the default ROOTPATH from build env
+ SECURE_PATH=$(unset ROOTPATH; . "${EPREFIX}"/etc/profile.env; echo "${ROOTPATH}")
+
+ case "${SECURE_PATH}" in
+ */usr/sbin*)
+ ;;
+ *)
+ SECURE_PATH=$(unset PATH; . "${EPREFIX}"/etc/profile.env; echo "${PATH}")
+ ;;
+ esac
+
if [[ -z ${SECURE_PATH} ]] ; then
ewarn " Failed to detect SECURE_PATH, please report this"
fi
- # then remove duplicate path entries
+ # Then remove duplicate path entries
cleanpath() {
local newpath thisp IFS=:
for thisp in $1 ; do
@@ -109,32 +120,43 @@ set_secure_path() {
done
SECURE_PATH=${newpath#:}
}
- cleanpath /bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
+ cleanpath /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin${SECURE_PATH:+:${SECURE_PATH}}
- # finally, strip gcc paths #136027
+ # Finally, strip gcc paths, bug #136027
rmpath() {
local e newpath thisp IFS=:
for thisp in ${SECURE_PATH} ; do
- for e ; do [[ ${thisp} == ${e} ]] && continue 2 ; done
+ for e ; do
+ [[ ${thisp} == ${e} ]] && continue 2 ;
+ done
newpath+=:${thisp}
done
SECURE_PATH=${newpath#:}
}
rmpath '*/gcc-bin/*' '*/gnat-gcc-bin/*' '*/gnat-gcc/*'
-
- einfo "... done"
}
src_configure() {
local SECURE_PATH
+
set_secure_path
- # audit: somebody got to explain me how I can test this before I
+ # bug #767712
+ tc-export PKG_CONFIG
+
+ # - audit: somebody got to explain me how I can test this before I
# enable it.. - Diego
- # plugindir: autoconf code is crappy and does not delay evaluation
+ # - plugindir: autoconf code is crappy and does not delay evaluation
# until `make` time, so we have to use a full path here rather than
# basing off other values.
- myeconfargs=(
+ local myeconfargs=(
+ # We set all of the relevant options by ourselves (patched
+ # into the toolchain) and setting these in the build system
+ # actually causes a downgrade when using e.g. -D_FORTIFY_SOURCE=3
+ # (it'll downgrade to =2). So, this has no functional effect on
+ # the hardening for users. It's safe.
+ --disable-hardening
+
# requires some python eclass
--disable-python
--enable-tmpfiles.d="${EPREFIX}"/usr/lib/tmpfiles.d
@@ -170,10 +192,10 @@ src_install() {
default
if use ldap ; then
- dodoc README.LDAP
+ dodoc README.LDAP.md
cat <<-EOF > "${T}"/ldap.conf.sudo
- # See ldap.conf(5) and README.LDAP for details
+ # See ldap.conf(5) and README.LDAP.md for details
# This file should only be readable by root
# supported directives: host, port, ssl, ldap_version
@@ -194,26 +216,31 @@ src_install() {
fperms 0440 /etc/ldap.conf.sudo
insinto /etc/openldap/schema
- newins doc/schema.OpenLDAP sudo.schema
+ newins docs/schema.OpenLDAP sudo.schema
fi
- pamd_mimic system-auth sudo auth account session
+ if use pam ; then
+ pamd_mimic system-auth sudo auth account session
+ pamd_mimic system-auth sudo-i auth account session
+ fi
keepdir /var/db/sudo/lectured
fperms 0700 /var/db/sudo/lectured
- fperms 0711 /var/db/sudo #652958
+ # bug #652958
+ fperms 0711 /var/db/sudo
# Don't install into /run as that is a tmpfs most of the time
# (bug #504854)
rm -rf "${ED}"/run || die
- find "${ED}" -type f -name "*.la" -delete || die #697812
+ # bug #697812
+ find "${ED}" -type f -name "*.la" -delete || die
}
pkg_postinst() {
tmpfiles_process sudo.conf
- #652958
+ # bug #652958
local sudo_db="${EROOT}/var/db/sudo"
if [[ "$(stat -c %a "${sudo_db}")" -ne 711 ]] ; then
chmod 711 "${sudo_db}" || die
@@ -221,20 +248,20 @@ pkg_postinst() {
if use ldap ; then
ewarn
- ewarn "sudo uses the /etc/ldap.conf.sudo file for ldap configuration."
+ ewarn "sudo uses the ${ROOT}/etc/ldap.conf.sudo file for ldap configuration."
ewarn
if grep -qs '^[[:space:]]*sudoers:' "${ROOT}"/etc/nsswitch.conf ; then
ewarn "In 1.7 series, LDAP is no more consulted, unless explicitly"
- ewarn "configured in /etc/nsswitch.conf."
+ ewarn "configured in ${ROOT}/etc/nsswitch.conf."
ewarn
- ewarn "To make use of LDAP, add this line to your /etc/nsswitch.conf:"
+ ewarn "To make use of LDAP, add this line to your ${ROOT}/etc/nsswitch.conf:"
ewarn " sudoers: ldap files"
ewarn
fi
fi
if use prefix ; then
ewarn
- ewarn "To use sudo, you need to change file ownership and permissions"
+ ewarn "To use sudo on Prefix, you need to change file ownership and permissions"
ewarn "with root privileges, as follows:"
ewarn
ewarn " # chown root:root ${EPREFIX}/usr/bin/sudo"