#
# Conditional build:
-%bcond_with kerberos5 # enable Kerberos V support (conflicts with PAM)
-%bcond_without ldap # disable LDAP support
-%bcond_without pam # disable PAM support
-%bcond_without selinux # build without SELinux support
-%bcond_with skey # enable skey (onetime passwords) support (conflicts with PAM)
-#
+%if "%{pld_release}" == "ac"
+%bcond_with audit # Linux audit support
+%else
+%bcond_without audit # Linux audit support
+%endif
+%bcond_with kerberos5 # Kerberos V support (conflicts with PAM)
+%bcond_without ldap # LDAP support
+%bcond_without pam # PAM support
+%bcond_without selinux # SELinux support
+%bcond_with skey # skey (onetime passwords) support (conflicts with PAM)
+%bcond_without sssd # SSSD support plugin
+%bcond_without tests # do not perform "make check"
+
+%if "%{pld_release}" == "ac"
+%define pam_ver 0.80.1
+%else
+%define pam_ver 0.99.7.1
+%endif
+
Summary: Allows command execution as root for specified users
Summary(es.UTF-8): Permite que usuarios específicos ejecuten comandos como se fueran el root
Summary(ja.UTF-8): 指定ユーザに制限付のroot権限を許可する
Summary(ru.UTF-8): Позволяет определенным пользователям исполнять команды от имени root
Summary(uk.UTF-8): Дозволяє вказаним користувачам виконувати команди від імені root
Name: sudo
-Version: 1.7.2p2
+Version: 1.8.11
Release: 1
Epoch: 1
License: BSD
Group: Applications/System
Source0: ftp://ftp.sudo.ws/pub/sudo/%{name}-%{version}.tar.gz
-# Source0-md5: 2a19cf1ab4afc94fe19d0d0899d4cd45
+# Source0-md5: 9a642cf6aca5375f8569a2961f44d0f3
Source1: %{name}.pamd
Source2: %{name}-i.pamd
Source3: %{name}.logrotate
-Patch0: %{name}-pam-login.patch
-Patch1: %{name}-libtool.patch
-Patch2: %{name}-env.patch
+Source4: %{name}.tmpfiles
+Patch0: %{name}-env.patch
+Patch1: config.patch
URL: http://www.sudo.ws/sudo/
+%{?with_audit:BuildRequires: audit-libs-devel}
BuildRequires: autoconf >= 2.53
BuildRequires: automake
+BuildRequires: bison
+BuildRequires: groff
+BuildRequires: flex
+BuildRequires: gettext-devel
%{?with_kerberos5:BuildRequires: heimdal-devel}
%{?with_selinux:BuildRequires: libselinux-devel}
-BuildRequires: libtool
+BuildRequires: libtool >= 2:2.2.6
%{?with_ldap:BuildRequires: openldap-devel >= 2.3.0}
%{?with_pam:BuildRequires: pam-devel}
+BuildRequires: rpm >= 4.4.9-56
+BuildRequires: rpmbuild(macros) >= 1.595
%{?with_skey:BuildRequires: skey-devel >= 2.2-11}
-Requires: pam >= 0.99.7.1
+BuildRequires: zlib-devel
+Requires: pam >= %{pam_ver}
Obsoletes: cu-sudo
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
+%define schemadir /usr/share/openldap/schema
+
+# uses sudo_warn_*_v1 symbols from binaries
+%define skip_post_check_so libsudo_util.so.*
+
%description
Sudo (superuser do) allows a permitted user to execute a command as
the superuser (real and effective uid and gid are set to 0 and root's
substituto para la shell.
%description -l ja.UTF-8
-sudo (superuser do) とはシステム管理者が、信用できるユーザ(またはグループ)に対
-して、いくつか(もしくは全て)のコマンドを root として実行できるよう、そのコマン
-ドの実行履歴のログをとりつつ許可する仕組みです。sudo はコマンド一行単位で動作
+sudo (superuser do)
+とはシステム管理者が、信用できるユーザ(またはグループ)に対
+して、いくつか(もしくは全て)のコマンドを root
+として実行できるよう、そのコマン
+ドの実行履歴のログをとりつつ許可する仕組みです。sudo
+はコマンド一行単位で動作
します。シェルの置き換えではありません。以下の機能を内蔵しています。ホスト単位
で、そのコマンドを実行可能なユーザを制限する機能、各コマンドについての(誰がな
-にを実行したかの痕跡を残すための)豊富なロギング機能、sudo コマンドのタイムアウ
-ト時間を設定可能、複数のマシンで同一の設定ファイル(sudoers)を共有する機能、が あります。
+にを実行したかの痕跡を残すための)豊富なロギング機能、sudo
+コマンドのタイムアウ
+ト時間を設定可能、複数のマシンで同一の設定ファイル(sudoers)を共有する機能、が
+あります。
%description -l pl.UTF-8
Sudo (superuser do) umożliwia wykonywanie konkretnych poleceń jako
пам'ятає пароль; використання одного конфігураційного файлу (sudoers)
на багатьох машинах.
+%package devel
+Summary: Header file for sudo plugins development
+Summary(pl.UTF-8): Plik nagłówkowy do tworzenia wtyczek dla sudo
+Group: Development/Libraries
+
+%description devel
+Header file for sudo plugins development.
+
+%description devel -l pl.UTF-8
+Plik nagłówkowy do tworzenia wtyczek dla sudo.
+
+%package -n openldap-schema-sudo
+Summary: Sudo LDAP schema
+Summary(pl.UTF-8): Schemat bazy sudo dla LDAP
+Group: Networking/Daemons
+Requires(post,postun): sed >= 4.0
+Requires: openldap-servers
+Requires: sed >= 4.0
+%if "%{_rpmversion}" >= "5"
+BuildArch: noarch
+%endif
+
+%description -n openldap-schema-sudo
+This package contains sudo.schema for openldap.
+
+%description -n openldap-schema-sudo -l pl.UTF-8
+Ten pakiet zawiera sudo.schema dla pakietu openldap.
+
%prep
%setup -q
# only local macros
-mv -f aclocal.m4 acinclude.m4
-# kill libtool.m4 copy
-rm -f acsite.m4
+mv aclocal.m4 acinclude.m4
+# do not load libtool macros from acinclude
+cp -p acinclude.m4 acinclude.m4.orig
+%{__sed} -i -e '/Pull in libtool macros/,$d' acinclude.m4
%patch0 -p1
%patch1 -p1
-%patch2 -p1
%build
%{__mv} install-sh install-custom-sh
%{__libtoolize}
%{__mv} install-custom-sh install-sh
cp -f /usr/share/automake/config.sub .
-%{__aclocal}
+%{__aclocal} -I m4
%{__autoconf}
%configure \
NROFFPROG=nroff \
- --with-incpath=%{_includedir}/security \
- --with-timedir=/var/run/sudo \
- --with-pam \
- --with-pam-login \
- --with-logging=both \
- --with-logfac=auth \
- --with-logpath=/var/log/sudo \
- --with-ignore-dot \
+ --enable-zlib=system \
--with-env-editor \
---with-secure-path="/bin:/sbin:%{_bindir}:%{_sbindir}" \
+ --with-ignore-dot \
+ --with-incpath=/usr/include/security \
+ --with-logfac=auth \
+ --with-logging=both \
--with-loglen=320 \
- --disable-saved-ids \
- --with%{!?with_kerberos5:out}-kerb5 \
- --with%{!?with_ldap:out}-ldap \
- --with%{!?with_skey:out}-skey \
- --with%{!?with_selinux:out}-selinux \
- --with-long-otp-prompt
+ --with-logpath=/var/log/sudo \
+ --with-long-otp-prompt \
+ --with-pam \
+ --with-pam-login \
+ --with-passprompt="[sudo] password for %%p: " \
+ --with-secure-path="/bin:/sbin:/usr/bin:/usr/sbin" \
+ %{__with kerberos5 kerb5} \
+ %{__with ldap} \
+ %{__with audit linux-audit} \
+ %{__with selinux} \
+ %{__with skey} \
+ %{__with sssd} \
%{__make}
+%{?with_tests:%{__make} check}
+
%install
rm -rf $RPM_BUILD_ROOT
-install -d $RPM_BUILD_ROOT{%{_sysconfdir}/{pam.d,logrotate.d},/var/{log,run/sudo},%{_mandir}/man8}
+install -d $RPM_BUILD_ROOT%{_sysconfdir}/{sudoers.d,pam.d,logrotate.d}
+install -d $RPM_BUILD_ROOT{%{systemdtmpfilesdir},/var/log/sudo-io,%{_mandir}/man8}
%{__make} -j1 install \
DESTDIR=$RPM_BUILD_ROOT \
- install_uid=`id -u` \
- install_gid=`id -g` \
- sudoers_uid=`id -u` \
- sudoers_gid=`id -g`
+ install_uid=$(id -u) \
+ install_gid=$(id -g) \
+ sudoers_uid=$(id -u) \
+ sudoers_gid=$(id -g) \
+ shlib_mode="0755"
+
+cp -p %{SOURCE1} $RPM_BUILD_ROOT/etc/pam.d/sudo
+cp -p %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
+cp -p %{SOURCE3} $RPM_BUILD_ROOT/etc/logrotate.d/sudo
+cp -p %{SOURCE4} $RPM_BUILD_ROOT%{systemdtmpfilesdir}/%{name}.conf
-install %{SOURCE1} $RPM_BUILD_ROOT/etc/pam.d/sudo
-install %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo-i
touch $RPM_BUILD_ROOT/var/log/sudo
-install %{SOURCE3} $RPM_BUILD_ROOT/etc/logrotate.d/sudo
-chmod -R +r $RPM_BUILD_ROOT%{_prefix}
+%{__rm} $RPM_BUILD_ROOT%{_libdir}/sudo/*.la
+%{__rm} -r $RPM_BUILD_ROOT%{_docdir}/%{name}
-rm -f $RPM_BUILD_ROOT%{_libdir}/sudo_noexec.la
+%if %{with ldap}
+install -d $RPM_BUILD_ROOT%{schemadir}
+cp -p doc/schema.OpenLDAP $RPM_BUILD_ROOT%{schemadir}/sudo.schema
+%endif
-# replace hardlinks with symlinks
-ln -sf %{_bindir}/sudo $RPM_BUILD_ROOT%{_bindir}/sudoedit
-rm -f $RPM_BUILD_ROOT%{_mandir}/man8/sudoedit.8
-echo '.so sudo.8' > $RPM_BUILD_ROOT%{_mandir}/man8/sudoedit.8
+# sudo,sudoers domains
+%find_lang %{name} --all-name
%clean
rm -rf $RPM_BUILD_ROOT
-%files
+%post -n openldap-schema-sudo
+%openldap_schema_register %{schemadir}/sudo.schema -d core
+%service -q ldap restart
+%banner -o -e openldap-schema-sudo <<'EOF'
+NOTE:
+In order for sudoRole LDAP queries to be efficient, the server must index
+the attribute 'sudoUser', e.g.
+
+ # Indices to maintain
+ index sudoUser eq
+EOF
+
+%postun -n openldap-schema-sudo
+if [ "$1" = "0" ]; then
+ %openldap_schema_unregister %{schemadir}/sudo.schema
+ %service -q ldap restart
+fi
+
+%triggerpostun -- %{name} < 1:1.8.7-2
+# 1:1.7.8p2-5
+mv -f /var/run/sudo/* /var/db/sudo 2>/dev/null
+rmdir /var/run/sudo 2>/dev/null || :
+
+# 1:1.8.7-2
+# add include statement to sudoers
+if ! grep -q '#includedir %{_sysconfdir}/sudoers.d' /etc/sudoers; then
+ echo 'Adding includedir %{_sysconfdir}/sudoers.d to /etc/sudoers'
+ cat <<-EOF >> /etc/sudoers
+ ## Read drop-in files from %{_sysconfdir}/sudoers.d
+ ## (the '#' here does not indicate a comment)
+ #includedir %{_sysconfdir}/sudoers.d
+ EOF
+fi
+
+%files -f %{name}.lang
%defattr(644,root,root,755)
-%doc HISTORY README TROUBLESHOOTING sample.sudoers
+%doc ChangeLog NEWS README doc/{CONTRIBUTORS,HISTORY,LICENSE,TROUBLESHOOTING,UPGRADE,sample.*}
+%{?with_ldap:%doc README.LDAP plugins/sudoers/sudoers2ldif}
+%attr(550,root,root) %dir %{_sysconfdir}/sudoers.d
%attr(440,root,root) %verify(not md5 mtime size) %config(noreplace) %{_sysconfdir}/sudoers
%attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sudo
%attr(600,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/pam.d/sudo-i
%attr(4755,root,root) %{_bindir}/sudo
%attr(4755,root,root) %{_bindir}/sudoedit
+%attr(755,root,root) %{_bindir}/sudoreplay
%attr(755,root,root) %{_sbindir}/visudo
-%{?with_selinux:%attr(755,root,root) %{_libdir}/sesh}
-%attr(755,root,root) %{_libdir}/sudo_noexec.so
+%dir %{_libdir}/sudo
+%attr(755,root,root) %{_libdir}/sudo/libsudo_util.so.*.*.*
+%attr(755,root,root) %{_libdir}/sudo/libsudo_util.so.0
+%attr(755,root,root) %{_libdir}/sudo/libsudo_util.so
+%{?with_selinux:%attr(755,root,root) %{_libdir}/sudo/sesh}
+%attr(755,root,root) %{_libdir}/sudo/group_file.so
+%attr(755,root,root) %{_libdir}/sudo/sudo_noexec.so
+%attr(755,root,root) %{_libdir}/sudo/sudoers.so
+%attr(755,root,root) %{_libdir}/sudo/system_group.so
+%dir /var/run/sudo
%{_mandir}/man5/sudoers.5*
+%{_mandir}/man5/sudo.conf.5*
+%{?with_ldap:%{_mandir}/man5/sudoers.ldap.5*}
%{_mandir}/man8/sudo.8*
+%{_mandir}/man8/sudo_plugin.8*
%{_mandir}/man8/sudoedit.8*
+%{_mandir}/man8/sudoreplay.8*
%{_mandir}/man8/visudo.8*
+%{systemdtmpfilesdir}/%{name}.conf
%attr(600,root,root) %ghost /var/log/sudo
+%attr(700,root,root) /var/log/sudo-io
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) /etc/logrotate.d/sudo
-%attr(700,root,root) %dir /var/run/sudo
+%attr(700,root,root) %dir /var/db/sudo
+
+%files devel
+%defattr(644,root,root,755)
+%{_includedir}/sudo_plugin.h
+
+%if %{with ldap}
+%files -n openldap-schema-sudo
+%defattr(644,root,root,755)
+%{schemadir}/sudo.schema
+%endif