]>
Commit | Line | Data |
---|---|---|
1 | # | |
2 | # Conditional build: | |
3 | %if "%{pld_release}" == "ac" | |
4 | %bcond_with audit # Linux audit support | |
5 | %else | |
6 | %bcond_without audit # Linux audit support | |
7 | %endif | |
8 | %bcond_with kerberos5 # Kerberos V support (conflicts with PAM) | |
9 | %bcond_without ldap # LDAP support | |
10 | %bcond_without pam # PAM support | |
11 | %bcond_without selinux # SELinux support | |
12 | %bcond_with skey # skey (onetime passwords) support (conflicts with PAM) | |
13 | %bcond_without sssd # SSSD support plugin | |
14 | %bcond_without tests # do not perform "make check" | |
15 | %bcond_without apparmor # AppArmor support | |
16 | ||
17 | %if "%{pld_release}" == "ac" | |
18 | %define pam_ver 0.80.1 | |
19 | %else | |
20 | %define pam_ver 0.99.7.1 | |
21 | %endif | |
22 | ||
23 | Summary: Allows command execution as root for specified users | |
24 | Summary(es.UTF-8): Permite que usuarios específicos ejecuten comandos como se fueran el root | |
25 | Summary(ja.UTF-8): 指定ユーザに制限付のroot権限を許可する | |
26 | Summary(pl.UTF-8): Umożliwia wykonywanie poleceń jako root dla konkretnych użytkowników | |
27 | Summary(pt_BR.UTF-8): Permite que usuários específicos executem comandos como se fossem o root | |
28 | Summary(ru.UTF-8): Позволяет определенным пользователям исполнять команды от имени root | |
29 | Summary(uk.UTF-8): Дозволяє вказаним користувачам виконувати команди від імені root | |
30 | Name: sudo | |
31 | # please see docs/UPGRADE.md for important changes each time updating sudo | |
32 | Version: 1.9.11p1 | |
33 | Release: 1 | |
34 | Epoch: 1 | |
35 | License: BSD | |
36 | Group: Applications/System | |
37 | Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz | |
38 | # Source0-md5: 8cd373aec6cde5e93a646d2950bf8df6 | |
39 | Source1: %{name}.pamd | |
40 | Source2: %{name}-i.pamd | |
41 | Patch0: %{name}-env.patch | |
42 | Patch1: config.patch | |
43 | Patch2: %{name}-sh.patch | |
44 | URL: http://www.sudo.ws/sudo/ | |
45 | %{?with_audit:BuildRequires: audit-libs-devel} | |
46 | BuildRequires: autoconf >= 2.53 | |
47 | BuildRequires: autoconf-archive | |
48 | BuildRequires: automake | |
49 | BuildRequires: bison | |
50 | BuildRequires: flex | |
51 | BuildRequires: gettext-devel | |
52 | BuildRequires: groff | |
53 | %{?with_kerberos5:BuildRequires: heimdal-devel} | |
54 | %{?with_apparmor:BuildRequires: libapparmor-devel} | |
55 | %{?with_selinux:BuildRequires: libselinux-devel} | |
56 | BuildRequires: libtool >= 2:2.2.6 | |
57 | %{?with_ldap:BuildRequires: openldap-devel >= 2.3.0} | |
58 | %{?with_pam:BuildRequires: pam-devel} | |
59 | BuildRequires: rpm >= 4.4.9-56 | |
60 | BuildRequires: rpmbuild(macros) >= 1.752 | |
61 | %{?with_skey:BuildRequires: skey-devel >= 2.2-11} | |
62 | BuildRequires: zlib-devel | |
63 | %if "%{pld_release}" != "ac" | |
64 | # uses /run | |
65 | Requires: FHS >= 3.0 | |
66 | %endif | |
67 | Requires: pam >= %{pam_ver} | |
68 | Obsoletes: cu-sudo | |
69 | BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) | |
70 | ||
71 | %define schemadir /usr/share/openldap/schema | |
72 | ||
73 | # uses sudo_warn_*_v1 symbols from binaries | |
74 | %define skip_post_check_so libsudo_util.so.* | |
75 | ||
76 | %description | |
77 | Sudo (superuser do) allows a permitted user to execute a command as | |
78 | the superuser (real and effective uid and gid are set to 0 and root's | |
79 | group as set in the passwd file respectively). | |
80 | ||
81 | Sudo determines who is an authorized user by consulting the file | |
82 | /etc/sudoers. By giving sudo the -v flag a user can update the time | |
83 | stamp without running a command. The password prompt itself will also | |
84 | time out if the password is not entered with N minutes (again, this is | |
85 | defined at installation time and defaults to 5 minutes). | |
86 | ||
87 | %description -l es.UTF-8 | |
88 | Sudo (superuser do) permite que el administrador del sistema otorga a | |
89 | ciertos usuarios (o grupos de usuarios) la habilidad para ejecutar | |
90 | algunos (o todos) comandos como root, registrando todos los comandos y | |
91 | argumentos. Sudo opera en una base por comando, no siendo un | |
92 | substituto para la shell. | |
93 | ||
94 | %description -l ja.UTF-8 | |
95 | sudo (superuser do) | |
96 | とはシステム管理者が、信用できるユーザ(またはグループ)に対 | |
97 | して、いくつか(もしくは全て)のコマンドを root | |
98 | として実行できるよう、そのコマン | |
99 | ドの実行履歴のログをとりつつ許可する仕組みです。sudo | |
100 | はコマンド一行単位で動作 | |
101 | します。シェルの置き換えではありません。以下の機能を内蔵しています。ホスト単位 | |
102 | で、そのコマンドを実行可能なユーザを制限する機能、各コマンドについての(誰がな | |
103 | にを実行したかの痕跡を残すための)豊富なロギング機能、sudo | |
104 | コマンドのタイムアウ | |
105 | ト時間を設定可能、複数のマシンで同一の設定ファイル(sudoers)を共有する機能、が | |
106 | あります。 | |
107 | ||
108 | %description -l pl.UTF-8 | |
109 | Sudo (superuser do) umożliwia wykonywanie konkretnych poleceń jako | |
110 | root dla wyspecyfikowanych użytkowników (rzeczywiste i efektywne | |
111 | uid/gid podczas wykonywania tych programów jest 0). To kto może | |
112 | wykonywać konkretne polecenia i w jaki sposób ma być autoryzowany jest | |
113 | opisane w pliku /etc/sudoers. | |
114 | ||
115 | %description -l pt_BR.UTF-8 | |
116 | Sudo (superuser do) permite que o administrador do sistema dê a certos | |
117 | usuários (ou grupos de usuários) a habilidade para rodar alguns (ou | |
118 | todos) comandos como root, registrando todos os comandos e argumentos. | |
119 | Sudo opera numa base por comando, não sendo um substituto para a | |
120 | shell. | |
121 | ||
122 | %description -l ru.UTF-8 | |
123 | Sudo (superuser do) позволяет системному администратору предоставлять | |
124 | определенным пользователям (или их группам) возможность исполнять | |
125 | некоторые (или все) команды с правами root, при этом протоколируя все | |
126 | команды и аргументы. Sudo работает с отдельными командами, это не | |
127 | замена командной оболочки (shell). Некоторые из возможностей sudo: | |
128 | ограничение того, какие команды пользователь может запускать в | |
129 | зависимости от хоста; полное протоколирование каждой команды; | |
130 | настраиваемое время, на протяжении которого sudo помнит пароль; | |
131 | использование одного конфигурационного файла (sudoers) на многих | |
132 | машинах. | |
133 | ||
134 | %description -l uk.UTF-8 | |
135 | Sudo (superuser do) дозволяє системному адміністраторові надати певним | |
136 | користувачам (чи їх групам) можливість виконувати деякі (чи всі) | |
137 | команди з правами root, при цьому протоколюючи всі команди та | |
138 | аргументи. Sudo працює з окремими командами, це не заміна командної | |
139 | оболонки (shell). Деякі з можливостей sudo: обмеження того, які | |
140 | команди користувач може запускати в залежності від хоста; повне | |
141 | протоколювання кожної команди; настроюваний час, на протязі якого sudo | |
142 | пам'ятає пароль; використання одного конфігураційного файлу (sudoers) | |
143 | на багатьох машинах. | |
144 | ||
145 | %package devel | |
146 | Summary: Header file for sudo plugins development | |
147 | Summary(pl.UTF-8): Plik nagłówkowy do tworzenia wtyczek dla sudo | |
148 | Group: Development/Libraries | |
149 | ||
150 | %description devel | |
151 | Header file for sudo plugins development. | |
152 | ||
153 | %description devel -l pl.UTF-8 | |
154 | Plik nagłówkowy do tworzenia wtyczek dla sudo. | |
155 | ||
156 | %package -n openldap-schema-sudo | |
157 | Summary: Sudo LDAP schema | |
158 | Summary(pl.UTF-8): Schemat bazy sudo dla LDAP | |
159 | Group: Networking/Daemons | |
160 | Requires(post,postun): sed >= 4.0 | |
161 | Requires: openldap-servers | |
162 | Requires: sed >= 4.0 | |
163 | BuildArch: noarch | |
164 | ||
165 | %description -n openldap-schema-sudo | |
166 | This package contains sudo.schema for openldap. | |
167 | ||
168 | %description -n openldap-schema-sudo -l pl.UTF-8 | |
169 | Ten pakiet zawiera sudo.schema dla pakietu openldap. | |
170 | ||
171 | %package logsrvd | |
172 | Summary: High-performance log server for sudo | |
173 | Summary(pl.UTF-8): Wysoko wydajny serwer logujący dla sudo | |
174 | Group: Daemons | |
175 | Requires: %{name} = %{epoch}:%{version}-%{release} | |
176 | ||
177 | %description logsrvd | |
178 | sudo-logsrvd is a high-performance log server that accepts event | |
179 | and I/O logs from sudo. It can be used to implement centralized | |
180 | logging of sudo logs. | |
181 | ||
182 | %description logsrvd -l pl.UTF-8 | |
183 | sudo-logsrvd to wysoko wydajny serwer logujący przyjmyjący logi | |
184 | zdarzeń i we/wy z sudo. Może byc używany do zaimplementowania | |
185 | scentralizowanego logowania z sudo. | |
186 | ||
187 | %prep | |
188 | %setup -q | |
189 | # only local macros | |
190 | %{__mv} aclocal.m4 acinclude.m4 | |
191 | # do not load libtool macros from acinclude | |
192 | cp -p acinclude.m4 acinclude.m4.orig | |
193 | %{__sed} -i -e '/Pull in libtool macros/,$d' acinclude.m4 | |
194 | ||
195 | %patch0 -p1 | |
196 | %patch1 -p1 | |
197 | %patch2 -p1 | |
198 | ||
199 | ! [ -f m4/ax_sys_weak_alias.m4 ] # provide own copy only until it is there | |
200 | cp %{_aclocaldir}/ax_sys_weak_alias.m4 m4 | |
201 | ||
202 | %build | |
203 | %{__libtoolize} | |
204 | cp -f /usr/share/automake/config.sub . | |
205 | %{__aclocal} -I m4 | |
206 | %{__autoconf} | |
207 | %configure \ | |
208 | NROFFPROG=nroff \ | |
209 | --enable-zlib=system \ | |
210 | %{__with_without apparmor} \ | |
211 | --with-env-editor \ | |
212 | --with-ignore-dot \ | |
213 | --with-incpath=/usr/include/security \ | |
214 | --with-logfac=authpriv \ | |
215 | --with-logging=syslog \ | |
216 | --with-loglen=320 \ | |
217 | --with-logpath=/var/log/sudo \ | |
218 | --with-long-otp-prompt \ | |
219 | --with-pam \ | |
220 | --with-pam-login \ | |
221 | --with-passprompt="[sudo] password for %%p: " \ | |
222 | --with-secure-path="/bin:/sbin:/usr/bin:/usr/sbin" \ | |
223 | --with-tty-tickets \ | |
224 | --with-exampledir=%{_examplesdir}/%{name}-%{version} \ | |
225 | --enable-tmpfiles.d=%{systemdtmpfilesdir} \ | |
226 | %{__with kerberos5 kerb5} \ | |
227 | %{__with ldap} \ | |
228 | %{__with audit linux-audit} \ | |
229 | %{__with selinux} \ | |
230 | %{__with skey} \ | |
231 | %{__with sssd} \ | |
232 | ||
233 | %{__make} | |
234 | ||
235 | %{?with_tests:%{__make} check} | |
236 | ||
237 | %install | |
238 | rm -rf $RPM_BUILD_ROOT | |
239 | install -d $RPM_BUILD_ROOT{/etc/pam.d,/var/log/sudo-io} | |
240 | ||
241 | %{__make} -j1 install \ | |
242 | DESTDIR=$RPM_BUILD_ROOT \ | |
243 | install_uid=$(id -u) \ | |
244 | install_gid=$(id -g) \ | |
245 | sudoers_uid=$(id -u) \ | |
246 | sudoers_gid=$(id -g) \ | |
247 | shlib_mode="0755" | |
248 | ||
249 | %{__rm} $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist | |
250 | ||
251 | cp -p %{SOURCE1} $RPM_BUILD_ROOT/etc/pam.d/sudo | |
252 | cp -p %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo-i | |
253 | ||
254 | %if "%{pld_release}" == "ac" | |
255 | # not present in ac, no point searching it | |
256 | %{__sed} -i -e '/pam_keyinit.so/d' $RPM_BUILD_ROOT/etc/pam.d/sudo* | |
257 | %endif | |
258 | ||
259 | %{__rm} $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.la | |
260 | %{__rm} -r $RPM_BUILD_ROOT%{_docdir}/%{name} | |
261 | ||
262 | %if %{with ldap} | |
263 | install -d $RPM_BUILD_ROOT%{schemadir} | |
264 | cp -p docs/schema.OpenLDAP $RPM_BUILD_ROOT%{schemadir}/sudo.schema | |
265 | %endif | |
266 | ||
267 | # sudo,sudoers domains | |
268 | %find_lang %{name} --all-name | |
269 | ||
270 | %clean | |
271 | rm -rf $RPM_BUILD_ROOT | |
272 | ||
273 | %post -n openldap-schema-sudo | |
274 | %openldap_schema_register %{schemadir}/sudo.schema -d core | |
275 | %service -q ldap restart | |
276 | %banner -o -e openldap-schema-sudo <<'EOF' | |
277 | NOTE: | |
278 | In order for sudoRole LDAP queries to be efficient, the server must index | |
279 | the attribute 'sudoUser', e.g. | |
280 | ||
281 | # Indices to maintain | |
282 | index sudoUser eq | |
283 | EOF | |
284 | ||
285 | %postun -n openldap-schema-sudo | |
286 | if [ "$1" = "0" ]; then | |
287 | %openldap_schema_unregister %{schemadir}/sudo.schema | |
288 | %service -q ldap restart | |
289 | fi | |
290 | ||
291 | %triggerpostun -- %{name} < 1:1.8.7-2 | |
292 | # 1:1.8.7-2 | |
293 | # add include statement to sudoers | |
294 | if ! grep -q '#includedir %{_sysconfdir}/sudoers.d' /etc/sudoers; then | |
295 | echo 'Adding includedir %{_sysconfdir}/sudoers.d to /etc/sudoers' | |
296 | cat <<-EOF >> /etc/sudoers | |
297 | ## Read drop-in files from %{_sysconfdir}/sudoers.d | |
298 | ## (the '#' here does not indicate a comment) | |
299 | #includedir %{_sysconfdir}/sudoers.d | |
300 | EOF | |
301 | fi | |
302 | ||
303 | %files -f %{name}.lang | |
304 | %defattr(644,root,root,755) | |
305 | %doc ChangeLog LICENSE.md NEWS README.md docs/{CONTRIBUTORS,HISTORY,TROUBLESHOOTING,UPGRADE}.md | |
306 | %{?with_ldap:%doc README.LDAP.md} | |
307 | %attr(550,root,root) %dir %{_sysconfdir}/sudoers.d | |
308 | %attr(440,root,root) %verify(not md5 mtime size) %config(noreplace) %{_sysconfdir}/sudoers | |
309 | %attr(640,root,root) %verify(not md5 mtime size) %config(noreplace) %{_sysconfdir}/sudo.conf | |
310 | %attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sudo | |
311 | %attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sudo-i | |
312 | %attr(755,root,root) %{_bindir}/cvtsudoers | |
313 | %attr(4755,root,root) %{_bindir}/sudo | |
314 | %attr(4755,root,root) %{_bindir}/sudoedit | |
315 | %attr(755,root,root) %{_bindir}/sudoreplay | |
316 | %attr(755,root,root) %{_sbindir}/visudo | |
317 | %dir %{_libexecdir}/sudo | |
318 | %attr(755,root,root) %{_libexecdir}/sudo/libsudo_util.so.*.*.* | |
319 | %attr(755,root,root) %{_libexecdir}/sudo/libsudo_util.so.0 | |
320 | %attr(755,root,root) %{_libexecdir}/sudo/libsudo_util.so | |
321 | %{?with_selinux:%attr(755,root,root) %{_libexecdir}/sudo/sesh} | |
322 | %attr(755,root,root) %{_libexecdir}/sudo/audit_json.so | |
323 | %attr(755,root,root) %{_libexecdir}/sudo/group_file.so | |
324 | %attr(755,root,root) %{_libexecdir}/sudo/sample_approval.so | |
325 | %attr(755,root,root) %{_libexecdir}/sudo/sudo_intercept.so | |
326 | %attr(755,root,root) %{_libexecdir}/sudo/sudo_noexec.so | |
327 | %attr(755,root,root) %{_libexecdir}/sudo/sudoers.so | |
328 | %attr(755,root,root) %{_libexecdir}/sudo/system_group.so | |
329 | %{_mandir}/man1/cvtsudoers.1* | |
330 | %{_mandir}/man5/sudo_plugin.5* | |
331 | %{_mandir}/man5/sudoers.5* | |
332 | %{_mandir}/man5/sudoers_timestamp.5* | |
333 | %{_mandir}/man5/sudo.conf.5* | |
334 | %{?with_ldap:%{_mandir}/man5/sudoers.ldap.5*} | |
335 | %{_mandir}/man8/sudo.8* | |
336 | %{_mandir}/man8/sudoedit.8* | |
337 | %{_mandir}/man8/sudoreplay.8* | |
338 | %{_mandir}/man8/visudo.8* | |
339 | %{systemdtmpfilesdir}/%{name}.conf | |
340 | %{_examplesdir}/%{name}-%{version} | |
341 | %attr(700,root,root) /var/log/sudo-io | |
342 | %attr(700,root,root) %dir /var/db/sudo | |
343 | ||
344 | %files devel | |
345 | %defattr(644,root,root,755) | |
346 | %{_includedir}/sudo_plugin.h | |
347 | ||
348 | %if %{with ldap} | |
349 | %files -n openldap-schema-sudo | |
350 | %defattr(644,root,root,755) | |
351 | %{schemadir}/sudo.schema | |
352 | %endif | |
353 | ||
354 | %files logsrvd | |
355 | %defattr(644,root,root,755) | |
356 | %attr(640,root,root) %verify(not md5 mtime size) %config(noreplace) %{_sysconfdir}/sudo_logsrvd.conf | |
357 | %attr(755,root,root) %{_sbindir}/sudo_logsrvd | |
358 | %attr(755,root,root) %{_sbindir}/sudo_sendlog | |
359 | %{_mandir}/man5/sudo_logsrv.proto.5* | |
360 | %{_mandir}/man5/sudo_logsrvd.conf.5* | |
361 | %{_mandir}/man8/sudo_logsrvd.8* | |
362 | %{_mandir}/man8/sudo_sendlog.8* |