From: Todd C. Miller Date: Thu, 15 Jul 2010 18:58:00 +0000 (-0400) Subject: Use tab indents to reduce the chance of problem with <<- X-Git-Tag: SUDO_1_7_4~77 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=471e5b44609e20c23199dd44f9785d299b726695;p=sudo Use tab indents to reduce the chance of problem with <<- Uncomment some env_keep lines for RHEL, SLES and Debian to more closely match the vendor sudoers files. --HG-- branch : 1.7 --- diff --git a/sudo.pp b/sudo.pp index 29bed6f1c..d235a1230 100644 --- a/sudo.pp +++ b/sudo.pp @@ -1,199 +1,218 @@ %set - if test -n "$SUDO_FLAVOR"; then - name="sudo-$SUDO_FLAVOR" - else - name="sudo" - fi - summary="Provide limited super-user priveleges to specific users" - description="Sudo is a program designed to allow a sysadmin to give \ + if test -n "$SUDO_FLAVOR"; then + name="sudo-$SUDO_FLAVOR" + else + name="sudo" + fi + summary="Provide limited super-user priveleges to specific users" + description="Sudo is a program designed to allow a sysadmin to give \ limited root privileges to users and log root activity. \ The basic philosophy is to give as few privileges as possible but \ still allow people to get their work done." - vendor="Todd C. Miller" - copyright="(c) 1993-1996,1998-2010 Todd C. Miller" - pp_rpm_release="1" - pp_rpm_license="BSD" - pp_rpm_url="http://www.sudo.ws/" - pp_rpm_group="Applications/System" - pp_rpm_packager="Todd.Miller@courtesan.com" - pp_deb_maintainer="Todd.Miller@courtesan.com" - pp_sd_vendor_tag="TCM" - pp_solaris_name="TCMsudo" + vendor="Todd C. Miller" + copyright="(c) 1993-1996,1998-2010 Todd C. Miller" + pp_rpm_release="1" + pp_rpm_license="BSD" + pp_rpm_url="http://www.sudo.ws/" + pp_rpm_group="Applications/System" + pp_rpm_packager="Todd.Miller@courtesan.com" + pp_deb_maintainer="Todd.Miller@courtesan.com" + pp_sd_vendor_tag="TCM" + pp_solaris_name="TCMsudo" %set [rpm] - # Add distro info to release - case "$pp_rpm_distro" in - centos*|rhel*) - d=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/[^0-9].*$//'` - if test -n "$d"; then - pp_rpm_release="$pp_rpm_release.el$d" - fi - ;; - sles*) - d=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/[^0-9].*$//'` - if test -n "$d"; then - pp_rpm_release="$pp_rpm_release.sles$d" - fi - ;; - esac - - # For RedHat the doc dir is expected to include version and release - case "$pp_rpm_distro" in - centos*|rhel*) - mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-1 - docdir=${docdir}-${version}-1 - ;; - esac - - # Choose the correct PAM file by distro - case "$pp_rpm_distro" in - centos[0-4].*|rhel[0-4].*) - mkdir -p ${pp_destdir}/etc/pam.d - cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF - #%PAM-1.0 - auth required pam_stack.so service=system-auth - account required pam_stack.so service=system-auth - password required pam_stack.so service=system-auth - session required pam_limits.so - EOF - ;; - centos*|rhel*) - mkdir -p ${pp_destdir}/etc/pam.d - cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF - #%PAM-1.0 - auth include system-auth - account include system-auth - password include system-auth - session optional pam_keyinit.so revoke - session required pam_limits.so - EOF - cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF - #%PAM-1.0 - auth include sudo - account include sudo - password include sudo - session optional pam_keyinit.so force revoke - session required pam_limits.so - EOF - ;; - sles9.*) - mkdir -p ${pp_destdir}/etc/pam.d - cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF - #%PAM-1.0 - auth required pam_unix2.so - session required pam_limits.so - EOF - ;; - sles*) - mkdir -p ${pp_destdir}/etc/pam.d - cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF - #%PAM-1.0 - auth include common-auth - account include common-account - password include common-password - session include common-session - # session optional pam_xauth.so - EOF - ;; - esac + # Add distro info to release + case "$pp_rpm_distro" in + centos*|rhel*) + d=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/[^0-9].*$//'` + if test -n "$d"; then + pp_rpm_release="$pp_rpm_release.el$d" + fi + ;; + sles*) + d=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/[^0-9].*$//'` + if test -n "$d"; then + pp_rpm_release="$pp_rpm_release.sles$d" + fi + ;; + esac + + # Uncomment some Defaults in sudoers.dist + # Note that the order must match that of sudoers. + case "$pp_rpm_distro" in + centos*|rhel*) + # Uncomment some Defaults in sudoers.dist, must be tab indented. + # Note that the order must match that of sudoers. + /bin/ed - ${pp_destdir}${sudoersdir}/sudoers.dist <<-'EOF' + /Locale settings/+1,s/^# // + /Desktop path settings/+1,s/^# // + w + q + EOF + ;; + sles*) + # Uncomment some Defaults in sudoers.dist, must be tab indented. + # Note that the order must match that of sudoers. + /bin/ed - ${pp_destdir}${sudoersdir}/sudoers.dist <<-'EOF' + /Locale settings/+1,s/^# // + /ConsoleKit session/+1,s/^# // + w + q + EOF + ;; + esac + + # For RedHat the doc dir is expected to include version and release + case "$pp_rpm_distro" in + centos*|rhel*) + mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-1 + docdir=${docdir}-${version}-1 + ;; + esac + + # Choose the correct PAM file by distro, must be tab indented for "<<-" + case "$pp_rpm_distro" in + centos[0-4].*|rhel[0-4].*) + mkdir -p ${pp_destdir}/etc/pam.d + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth required pam_stack.so service=system-auth + account required pam_stack.so service=system-auth + password required pam_stack.so service=system-auth + session required pam_limits.so + EOF + ;; + centos*|rhel*) + mkdir -p ${pp_destdir}/etc/pam.d + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth include system-auth + account include system-auth + password include system-auth + session optional pam_keyinit.so revoke + session required pam_limits.so + EOF + cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF + #%PAM-1.0 + auth include sudo + account include sudo + password include sudo + session optional pam_keyinit.so force revoke + session required pam_limits.so + EOF + ;; + sles9.*) + mkdir -p ${pp_destdir}/etc/pam.d + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth required pam_unix2.so + session required pam_limits.so + EOF + ;; + sles*) + mkdir -p ${pp_destdir}/etc/pam.d + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + auth include common-auth + account include common-account + password include common-password + session include common-session + # session optional pam_xauth.so + EOF + ;; + esac %set [deb] - # Uncomment %sudo rule in sudoers.dist - /bin/ed - ${pp_destdir}${sudoersdir}/sudoers.dist <<-'EOF' - /^# \%sudo/,s/^# // - w - q - EOF - mkdir -p ${pp_destdir}/etc/pam.d - cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF - #%PAM-1.0 - - @include common-auth - @include common-account - - session required pam_permit.so - session required pam_limits.so - EOF + # Uncomment some Defaults and the %sudo rule in sudoers.dist + # Note that the order must match that of sudoers and be tab-indented. + /bin/ed - ${pp_destdir}${sudoersdir}/sudoers.dist <<-'EOF' + /Locale settings/+1,s/^# // + /X11 resource/+1,s/^# // + /^# \%sudo/,s/^# // + w + q + EOF + mkdir -p ${pp_destdir}/etc/pam.d + cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF + #%PAM-1.0 + + @include common-auth + @include common-account + + session required pam_permit.so + session required pam_limits.so + EOF %set [aix] - pp_aix_version=`echo $version | sed -e 's,\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\)p\([0-9][0-9]*\)q\([0-9][0-9]*\),\1.\2.\3.\4,'` - summary="Configurable super-user privileges" + pp_aix_version=`echo $version | sed -e 's,\([0-9][0-9]*\)\.\([0-9][0-9]*\)\.\([0-9][0-9]*\)p\([0-9][0-9]*\)q\([0-9][0-9]*\),\1.\2.\3.\4,'` + summary="Configurable super-user privileges" %files - $bindir/sudo 4111 root: - $bindir/sudoedit 4111 root: - $sbindir/visudo 0111 - $bindir/sudoreplay 0111 - $libexecdir/* - $sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile - $sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid - $timedir/ 0700 root: - $docdir/ - $docdir/* + $bindir/sudo 4111 root: + $bindir/sudoedit 4111 root: + $sbindir/visudo 0111 + $bindir/sudoreplay 0111 + $libexecdir/* + $sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile + $sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid + $timedir/ 0700 root: + $docdir/ + $docdir/* + /etc/pam.d/* volatile,optional %files [!aix] - $mandir/man*/* + $mandir/man*/* %files [aix] - # Some versions use catpages, some use manpages. - $mandir/cat*/* optional - $mandir/man*/* optional - -%files [rpm] - /etc/pam.d/* volatile,optional - -%files [deb] - /etc/pam.d/* volatile,optional + # Some versions use catpages, some use manpages. + $mandir/cat*/* optional + $mandir/man*/* optional %post - # Don't overwrite an existing sudoers file - sudoersdir=%{sudoersdir} - if test ! -r $sudoersdir/sudoers; then - cp -p $sudoersdir/sudoers.dist $sudoersdir/sudoers - fi + # Don't overwrite an existing sudoers file + sudoersdir=%{sudoersdir} + if test ! -r $sudoersdir/sudoers; then + cp -p $sudoersdir/sudoers.dist $sudoersdir/sudoers + fi %post [deb] - # dpkg-deb does not maintain the mode on the sudoers file, and - # installs it 0640 when sudo requires 0440 - chmod %{sudoers_mode} %{sudoersdir}/sudoers - - # create symlink to ease transition to new path for ldap config - # if old config file exists and new one doesn't - if test X"%{SUDO_FLAVOR}" = X"ldap"; then - if test -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then - ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf - fi - fi - - # Debian uses a sudo group in its default sudoers file - perl -e ' - exit 0 if getgrnam("sudo"); - $gid = 27; # default debian sudo gid - setgrent(); - while (getgrgid($gid)) { $gid++; } - if ($gid != 27) { - print "On Debian we normally use gid 27 for \"sudo\".\n"; - $gname = getgrgid(27); - print "However, on your system gid 27 is group \"$gname\".\n\n"; - print "Would you like me to stop configuring sudo so that you can change this? [n] "; - $ans = ; - if ($ans =~ /^[yY]/) { - print "\"dpkg --pending --configure\" will restart the configuration.\n\n"; - exit 1; - } - } - print "Creating group \"sudo\" with gid = $gid\n"; - system("groupadd -g $gid sudo"); - exit 0; - ' + # dpkg-deb does not maintain the mode on the sudoers file, and + # installs it 0640 when sudo requires 0440 + chmod %{sudoers_mode} %{sudoersdir}/sudoers + + # create symlink to ease transition to new path for ldap config + # if old config file exists and new one doesn't + if test X"%{SUDO_FLAVOR}" = X"ldap" -a \ + -r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then + ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf + fi + + # Debian uses a sudo group in its default sudoers file + perl -e ' + exit 0 if getgrnam("sudo"); + $gid = 27; # default debian sudo gid + setgrent(); + while (getgrgid($gid)) { $gid++; } + if ($gid != 27) { + print "On Debian we normally use gid 27 for \"sudo\".\n"; + $gname = getgrgid(27); + print "However, on your system gid 27 is group \"$gname\".\n\n"; + print "Would you like me to stop configuring sudo so that you can change this? [n] "; + $ans = ; + if ($ans =~ /^[yY]/) { + print "\"dpkg --pending --configure\" will restart the configuration.\n\n"; + exit 1; + } + } + print "Creating group \"sudo\" with gid = $gid\n"; + system("groupadd -g $gid sudo"); + exit 0; + ' %preun [deb] - # Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if - # it matches what we created in the postinstall script. - if test X"%{SUDO_FLAVOR}" = X"ldap"; then - if test X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then - rm -f /etc/sudo-ldap.conf - fi - fi - -# vim:ts=2:sw=2:et + # Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if + # it matches what we created in the postinstall script. + if test X"%{SUDO_FLAVOR}" = X"ldap" -a \ + X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then + rm -f /etc/sudo-ldap.conf + fi