
on "cp -p" to work in the postinstall script. On AIX 6.1 at least the postinstall script runs before the final file permissions are set.
258 lines
7.2 KiB
ObjectPascal
258 lines
7.2 KiB
ObjectPascal
%set
|
|
if test -n "$flavor"; then
|
|
name="sudo-$flavor"
|
|
pp_kit_package="sudo_$flavor"
|
|
else
|
|
name="sudo"
|
|
pp_kit_package="sudo"
|
|
fi
|
|
summary="Provide limited super-user priveleges to specific users"
|
|
description="Sudo is a program designed to allow a sysadmin to give \
|
|
limited root privileges to users and log root activity. \
|
|
The basic philosophy is to give as few privileges as possible but \
|
|
still allow people to get their work done."
|
|
vendor="Todd C. Miller"
|
|
copyright="(c) 1993-1996,1998-2011 Todd C. Miller"
|
|
|
|
%if [aix]
|
|
# AIX package summary is limited to 40 characters
|
|
summary="Configurable super-user privileges"
|
|
|
|
# Convert to 4 part version for AIX, including patch level
|
|
pp_aix_version=`echo $version|sed -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)p\([0-9]*\)$/\1.\2/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)[^0-9\.].*$/\1/' -e 's/^\([0-9]*\.[0-9]*\.[0-9]*\)$/\1.0/'`
|
|
%endif
|
|
|
|
%if [kit]
|
|
# Strip off patchlevel for kit which only supports xyz versions
|
|
pp_kit_version="`echo $version|sed -e 's/\.//g' -e 's/[^0-9][^0-9]*[0-9][0-9]*$//'`"
|
|
pp_kit_name="TCM"
|
|
%endif
|
|
|
|
%if [sd]
|
|
pp_sd_vendor_tag="TCM"
|
|
%endif
|
|
|
|
%if [solaris]
|
|
pp_solaris_name="TCM${name}"
|
|
pp_solaris_pstamp=`/usr/bin/date "+%B %d, %Y"`
|
|
%endif
|
|
|
|
%if [rpm,deb]
|
|
# Convert patch level into release and remove from version
|
|
pp_rpm_release="`expr \( $version : '.*p\([0-9][0-9]*\)' \| 0 \) + 1`"
|
|
pp_rpm_version="`expr $version : '\(.*\)p[0-9][0-9]*'`"
|
|
pp_rpm_license="BSD"
|
|
pp_rpm_url="http://www.sudo.ws/"
|
|
pp_rpm_group="Applications/System"
|
|
pp_rpm_packager="Todd.Miller@courtesan.com"
|
|
if test -n "$linux_audit"; then
|
|
pp_rpm_requires="audit-libs >= $linux_audit"
|
|
fi
|
|
|
|
pp_deb_maintainer="$pp_rpm_packager"
|
|
pp_deb_release="$pp_rpm_release"
|
|
pp_deb_version="$pp_rpm_version"
|
|
%else
|
|
# For all but RPM and Debian we need to install sudoers with a different
|
|
# name and make a copy of it if there is no existing file.
|
|
mv ${pp_destdir}$sudoersdir/sudoers ${pp_destdir}$sudoersdir/sudoers.dist
|
|
%endif
|
|
|
|
%if [rpm]
|
|
# Add distro info to release
|
|
osrelease=`echo "$pp_rpm_distro" | sed -e 's/^[^0-9]*//' -e 's/-.*$//'`
|
|
case "$pp_rpm_distro" in
|
|
centos*|rhel*)
|
|
pp_rpm_release="$pp_rpm_release.el${osrelease%%[0-9]}"
|
|
;;
|
|
sles*)
|
|
pp_rpm_release="$pp_rpm_release.sles$osrelease"
|
|
;;
|
|
esac
|
|
|
|
# Uncomment some Defaults in sudoers
|
|
# Note that the order must match that of sudoers.
|
|
case "$pp_rpm_distro" in
|
|
centos*|rhel*)
|
|
/bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
|
|
/Locale settings/+1,s/^# //
|
|
/Desktop path settings/+1,s/^# //
|
|
w
|
|
q
|
|
EOF
|
|
;;
|
|
sles*)
|
|
/bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
|
|
/Locale settings/+1,s/^# //
|
|
/ConsoleKit session/+1,s/^# //
|
|
/allow any user to run sudo if they know the password/+2,s/^# //
|
|
/allow any user to run sudo if they know the password/+3,s/^# //
|
|
w
|
|
q
|
|
EOF
|
|
;;
|
|
esac
|
|
|
|
# For RedHat the doc dir is expected to include version and release
|
|
case "$pp_rpm_distro" in
|
|
centos*|rhel*)
|
|
mv ${pp_destdir}/${docdir} ${pp_destdir}/${docdir}-${version}-${pp_rpm_release}
|
|
docdir=${docdir}-${version}-${pp_rpm_release}
|
|
;;
|
|
esac
|
|
|
|
# Choose the correct PAM file by distro, must be tab indented for "<<-"
|
|
case "$pp_rpm_distro" in
|
|
centos*|rhel*)
|
|
mkdir -p ${pp_destdir}/etc/pam.d
|
|
if test $osrelease -lt 50; then
|
|
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
|
|
#%PAM-1.0
|
|
auth required pam_stack.so service=system-auth
|
|
account required pam_stack.so service=system-auth
|
|
password required pam_stack.so service=system-auth
|
|
session required pam_limits.so
|
|
EOF
|
|
else
|
|
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
|
|
#%PAM-1.0
|
|
auth include system-auth
|
|
account include system-auth
|
|
password include system-auth
|
|
session optional pam_keyinit.so revoke
|
|
session required pam_limits.so
|
|
EOF
|
|
cat > ${pp_destdir}/etc/pam.d/sudo-i <<-EOF
|
|
#%PAM-1.0
|
|
auth include sudo
|
|
account include sudo
|
|
password include sudo
|
|
session optional pam_keyinit.so force revoke
|
|
session required pam_limits.so
|
|
EOF
|
|
fi
|
|
;;
|
|
sles*)
|
|
mkdir -p ${pp_destdir}/etc/pam.d
|
|
if test $osrelease -lt 10; then
|
|
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
|
|
#%PAM-1.0
|
|
auth required pam_unix2.so
|
|
session required pam_limits.so
|
|
EOF
|
|
else
|
|
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
|
|
#%PAM-1.0
|
|
auth include common-auth
|
|
account include common-account
|
|
password include common-password
|
|
session include common-session
|
|
# session optional pam_xauth.so
|
|
EOF
|
|
fi
|
|
;;
|
|
esac
|
|
%endif
|
|
|
|
%if [deb]
|
|
# Uncomment some Defaults and the %sudo rule in sudoers
|
|
# Note that the order must match that of sudoers and be tab-indented.
|
|
/bin/ed - ${pp_destdir}${sudoersdir}/sudoers <<-'EOF'
|
|
/Locale settings/+1,s/^# //
|
|
/X11 resource/+1,s/^# //
|
|
/^# \%sudo/,s/^# //
|
|
w
|
|
q
|
|
EOF
|
|
mkdir -p ${pp_destdir}/etc/pam.d
|
|
cat > ${pp_destdir}/etc/pam.d/sudo <<-EOF
|
|
#%PAM-1.0
|
|
|
|
@include common-auth
|
|
@include common-account
|
|
|
|
session required pam_permit.so
|
|
session required pam_limits.so
|
|
EOF
|
|
%endif
|
|
|
|
%files
|
|
$bindir/sudo 4111 root:
|
|
$bindir/sudoedit 4111 root:
|
|
$sbindir/visudo 0111
|
|
$bindir/sudoreplay 0111
|
|
$includedir/sudo_plugin.h
|
|
$libexecdir/*
|
|
$sudoersdir/sudoers.d/ 0750 $sudoers_uid:$sudoers_gid
|
|
$timedir/ 0700 root:
|
|
$docdir/
|
|
$docdir/*
|
|
$localedir/ optional
|
|
$localedir/** optional
|
|
/etc/pam.d/* volatile,optional
|
|
%if [rpm,deb]
|
|
$sudoersdir/sudoers $sudoers_mode $sudoers_uid:$sudoers_gid volatile
|
|
%else
|
|
$sudoersdir/sudoers.dist $sudoers_mode $sudoers_uid:$sudoers_gid volatile
|
|
%endif
|
|
|
|
%files [!aix]
|
|
$mandir/man*/*
|
|
|
|
%files [aix]
|
|
# Some versions use catpages, some use manpages.
|
|
$mandir/cat*/* optional
|
|
$mandir/man*/* optional
|
|
|
|
%post [!rpm,deb]
|
|
# Don't overwrite an existing sudoers file
|
|
sudoersdir=%{sudoersdir}
|
|
if test ! -r $sudoersdir/sudoers; then
|
|
cp $sudoersdir/sudoers.dist $sudoersdir/sudoers
|
|
chmod %{sudoers_mode} $sudoersdir/sudoers
|
|
chown %{sudoers_uid} $sudoersdir/sudoers
|
|
chgrp %{sudoers_gid} $sudoersdir/sudoers
|
|
fi
|
|
|
|
%post [deb]
|
|
# dpkg-deb does not maintain the mode on the sudoers file, and
|
|
# installs it 0640 when sudo requires 0440
|
|
chmod %{sudoers_mode} %{sudoersdir}/sudoers
|
|
|
|
# create symlink to ease transition to new path for ldap config
|
|
# if old config file exists and new one doesn't
|
|
if test X"%{flavor}" = X"ldap" -a \
|
|
-r /etc/ldap/ldap.conf -a ! -r /etc/sudo-ldap.conf; then
|
|
ln -s /etc/ldap/ldap.conf /etc/sudo-ldap.conf
|
|
fi
|
|
|
|
# Debian uses a sudo group in its default sudoers file
|
|
perl -e '
|
|
exit 0 if getgrnam("sudo");
|
|
$gid = 27; # default debian sudo gid
|
|
setgrent();
|
|
while (getgrgid($gid)) { $gid++; }
|
|
if ($gid != 27) {
|
|
print "On Debian we normally use gid 27 for \"sudo\".\n";
|
|
$gname = getgrgid(27);
|
|
print "However, on your system gid 27 is group \"$gname\".\n\n";
|
|
print "Would you like me to stop configuring sudo so that you can change this? [n] ";
|
|
$ans = <STDIN>;
|
|
if ($ans =~ /^[yY]/) {
|
|
print "\"dpkg --pending --configure\" will restart the configuration.\n\n";
|
|
exit 1;
|
|
}
|
|
}
|
|
print "Creating group \"sudo\" with gid = $gid\n";
|
|
system("groupadd -g $gid sudo");
|
|
exit 0;
|
|
'
|
|
|
|
%preun [deb]
|
|
# Remove the /etc/ldap/ldap.conf -> /etc/sudo-ldap.conf symlink if
|
|
# it matches what we created in the postinstall script.
|
|
if test X"%{flavor}" = X"ldap" -a \
|
|
X"`readlink /etc/sudo-ldap.conf 2>/dev/null`" = X"/etc/ldap/ldap.conf"; then
|
|
rm -f /etc/sudo-ldap.conf
|
|
fi
|