1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
|
%set
if test -n "$flavor"; then
name="sudo-$flavor"
pp_kit_package="sudo_$flavor"
else
name="sudo"
pp_kit_package="sudo"
fi
summary="Provide limited super-user priveleges to specific users"
description="Sudo is a program designed to allow a sysadmin to give \
limited root privileges to users and log root activity. \
The basic philosophy is to give as few privileges as possible but \
still allow people to get their work done."
vendor="Todd C. Miller"
copyright="(c) 1993-1996,1998-2010 Todd C. Miller"
# Convert to 4 part version for AIX, including patch level
pp_aix_version=`echo $version|sed -e 's/\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/' -e 's/[^0-9]*\([0-9]*\)$/.\1/'`
# Strip of patchlevel for kit which only supports x.y.z versions
pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/p[0-9]*$//'`"
pp_kit_name="TCM"
pp_sd_vendor_tag="TCM"
pp_solaris_name="TCM${name}"
%if [rpm,deb]
# Convert patch level into release and remove from version
pp_rpm_release="`echo $version|sed 's/^[0-9]*\.[0-9]*\.[0-9]*[^0-9]*//'`"
pp_rpm_release="`expr $pp_rpm_release + 1`"
pp_rpm_version="`echo $version|sed 's/p[0-9]*$//'`"
pp_rpm_license="BSD"
pp_rpm_url="http://www.sudo.ws/"
pp_rpm_group="Applications/System"
pp_rpm_packager="Todd.Miller@courtesan.com"
pp_deb_maintainer="$pp_rpm_packager"
pp_deb_release="$pp_rpm_release"
pp_deb_version="$pp_rpm_version"
%else
# For all but RPM and Debian we need to install sudoers with a different
# name and make a copy of it if there is no existing file.
mv ${pp_destdir}$sudoersdir/sudoers ${pp_destdir}$sudoersdir/sudoers.dist
%endif
%set [rpm]
# Add distro info to release
osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
case "$pp_rpm_distro" in
centos*|rhel*)
pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
;;
sles*)
pp_rpm_release="$pp_rpm_release.sles$osrelease"
;;
esac
# Uncomment some Defaults in sudoers
# Note that the order must match that of sudoers.
case "$pp_rpm_distro" in
centos*|rhel*)
/bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
/Locale settings/+1,s/^# //
/Desktop path settings/+1,s/^# //
w
q
EOF
;;
sles*)
/bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
/Locale settings/+1,s/^# //
/ConsoleKit session/+1,s/^# //
/allow any user to run sudo if they know the password/+2,s/^# //
/allow any user to run sudo if they know the password/+3,s/^# //
w
q
EOF
;;
esac
# For RedHat the doc dir is expected to include version and release
case "$pp_rpm_distro" in
centos*|rhel*)
mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-${pp_rpm_release}
docdir=${docdir}-${version}-${pp_rpm_release}
;;
esac
# Choose the correct PAM file by distro, must be tab indented for "<<-"
case "$pp_rpm_distro" in
centos*|rhel*)
mkdir -p ${pp_destdir}/etc/pam.d
if test $osrelease -lt 50; then
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth required pam_stack.so service=system-auth
account required pam_stack.so service=system-auth
password required pam_stack.so service=system-auth
session required pam_limits.so
EOF
else
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
EOF
cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
EOF
fi
;;
sles*)
mkdir -p ${pp_destdir}/etc/pam.d
if test $osrelease -lt 10; then
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth required pam_unix2.so
session required pam_limits.so
EOF
else
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
auth include common-auth
account include common-account
password include common-password
session include common-session
# session optional pam_xauth.so
EOF
fi
;;
esac
%set [deb]
# Uncomment some Defaults and the %sudo rule in sudoers
# Note that the order must match that of sudoers and be tab-indented.
/bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
/Locale settings/+1,s/^# //
/X11 resource/+1,s/^# //
/^# \%sudo/,s/^# //
w
q
EOF
mkdir -p ${pp_destdir}/etc/pam.d
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
#%PAM-1.0
@include common-auth
@include common-account
session required pam_permit.so
session required pam_limits.so
EOF
%set [aix]
summary="Configurable super-user privileges"
%files
$bindir/sudo 4111 root:
$bindir/sudoedit 4111 root:
$sbindir/visudo 0111
$bindir/sudoreplay 0111
$libexecdir/*
$sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid
$timedir/ 0700 root:
$docdir/
$docdir/*
/etc/pam.d/* volatile,optional
%if [rpm,deb]
$sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
%else
$sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
%endif
%files [!aix]
$mandir/man*/*
%files [aix]
# Some versions use catpages, some use manpages.
$mandir/cat*/* optional
$mandir/man*/* optional
%post [!rpm,deb]
# Don't overwrite an existing sudoers file
sudoersdir=%{sudoersdir}
if test ! -r $sudoersdir/sudoers; then
cp -p $sudoersdir/sudoers.dist $sudoersdir/sudoers
fi
%post [deb]
# dpkg-deb does not maintain the mode on the sudoers file, and
# installs it 0640 when sudo requires 0440
chmod %{sudoers_mode} %{sudoersdir}/sudoers
# create symlink to ease transition to new path for ldap config
# if old config file exists and new one doesn't
if test X"%{flavor}" = X"ldap" -a \
-r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
fi
# Debian uses a sudo group in its default sudoers file
perl -e '
exit 0 if getgrnam("sudo");
$gid = 27; # default debian sudo gid
setgrent();
while (getgrgid($gid)) { $gid++; }
if ($gid != 27) {
print "On Debian we normally use gid 27 for \"sudo\".\n";
$gname = getgrgid(27);
print "However, on your system gid 27 is group \"$gname\".\n\n";
print "Would you like me to stop configuring sudo so that you can change this? [n] ";
$ans = <STDIN>;
if ($ans =~ /^[yY]/) {
print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
exit 1;
}
}
print "Creating group \"sudo\" with gid = $gid\n";
system("groupadd -g $gid sudo");
exit 0;
'
%preun [deb]
# Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
# it matches what we created in the postinstall script.
if test X"%{flavor}" = X"ldap" -a \
X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
rm -f /etc/sudo-ldap.conf
fi
|