sudo/sudo.spec

Name: sudo
Version: 1.8.27
Release: 5
Summary: Allows restricted root access for specified users
License: ISC
URL: http://www.courtesan.com/sudo/

Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz
Source1: sudoers
Source2: sudo
Source3: sudo-i

Patch6000: sudo_minus_1_uid.patch
Patch6001: strtoid_minus_1_test_fix.patch
Patch6002: Fix-CVE-2019-19232-control-matching-of-unknown-IDs.patch
Patch6003: Fix-CVE-2019-19234-add-runas_check_shell-flag.patch

Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: pam
Recommends: vim-minimal
Requires(post): coreutils

BuildRequires: pam-devel groff openldap-devel flex bison automake autoconf libtool
BuildRequires: audit-libs-devel libcap-devel libselinux-devel sendmail gettext zlib-devel
BuildRequires: chrpath git

%description
Sudo is a program designed to allow a sysadmin to give limited root privileges
to users and log root activity.  The basic philosophy is to give as few
privileges as possible but still allow people to get their work done.

%package        devel
Summary:        Development files for %{name}
Requires:       %{name} = %{version}-%{release}

%description    devel
The %{name}-devel package contains header files developing sudo
plugins that use %{name}.

%package_help

%prep
%autosetup -n %{name}-%{version} -S git

%build
autoreconf -I m4 -fv --install
export CFLAGS="$RPM_OPT_FLAGS -fpie" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"
%configure \
        --prefix=%{_prefix} \
        --sbindir=%{_sbindir} \
        --libdir=%{_libdir} \
        --docdir=%{_pkgdocdir} \
        --disable-root-mailer \
        --with-logging=syslog \
        --with-logfac=authpriv \
        --with-pam \
        --with-pam-login \
        --with-editor=/bin/vi \
        --with-env-editor \
        --with-ignore-dot \
        --with-tty-tickets \
        --with-ldap \
        --with-selinux \
        --with-passprompt="[sudo] password for %p: " \
        --with-linux-audit \
        --with-sssd

%make_build

%check
make check

%install
rm -rf $RPM_BUILD_ROOT
%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/* 
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo
install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured
install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d
install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers
install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/

touch sudo.conf
echo sudo > sudo.conf
install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/
rm -f sudo.conf

chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so

rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE
rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo

%delete_la

rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist

%chrpath_delete
mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d
echo "/usr/libexec/sudo" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf

%find_lang sudo
%find_lang sudoers

mkdir -p $RPM_BUILD_ROOT/etc/pam.d
install -p -c -m 0644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo
install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i

%post
/bin/chmod 0440 /etc/sudoers || :
/sbin/ldconfig || :

%postun -p /sbin/ldconfig

%files -f sudo.lang -f sudoers.lang
%attr(0440,root,root) %config(noreplace) /etc/sudoers
%attr(0750,root,root) %dir /etc/sudoers.d/
%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf
%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf
%attr(4111,root,root) %{_bindir}/sudo
%attr(0111,root,root) %{_bindir}/sudoreplay
%{_bindir}/sudoedit
%{_bindir}/cvtsudoers
%attr(0755,root,root) %{_sbindir}/visudo
%attr(0755,root,root) %{_libexecdir}/sudo/sesh
%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so
%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so
%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so
%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so
%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so*
%dir /var/db/sudo
%dir /var/db/sudo/lectured
%dir %{_libexecdir}/sudo
%config(noreplace) /etc/pam.d/sudo
%config(noreplace) /etc/pam.d/sudo-i
%config(noreplace) /etc/ld.so.conf.d/*
%license doc/LICENSE

%files devel
%{_includedir}/sudo_plugin.h

%files help
%dir %{_pkgdocdir}/
%{_mandir}/man5/*
%{_mandir}/man8/*
%{_mandir}/man1/*
%{_pkgdocdir}/*
%doc plugins/sample/sample_plugin.c
%exclude %{_pkgdocdir}/ChangeLog

%changelog
* Fri Apr 17 2020 Anakin Zhang <nbztx@126.com> - 1.8.27-5
- Read drop-in files from /etc/sudoers.d

* Mon Jan 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-4
- fix CVE-2019-19232 and CVE-2019-19234

* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-3
- clean code

* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-2
- Fix CVE-2019-14287

* Tue Aug 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-1
- Package init
Package init 2019-09-30 11:17:51 -04:00			`Name: sudo`
			`Version: 1.8.27`
change release num 2020-05-07 15:14:07 +08:00			`Release: 5`
Package init 2019-09-30 11:17:51 -04:00			`Summary: Allows restricted root access for specified users`
			`License: ISC`
			`URL: http://www.courtesan.com/sudo/`

			`Source0: https://www.sudo.ws/dist/%{name}-%{version}.tar.gz`
			`Source1: sudoers`
			`Source2: sudo`
			`Source3: sudo-i`

Package init 2019-12-25 16:08:18 +08:00			`Patch6000: sudo_minus_1_uid.patch`
			`Patch6001: strtoid_minus_1_test_fix.patch`
fix CVE-2019-19232 and CVE-2019-19234 2020-01-20 16:22:06 +08:00			`Patch6002: Fix-CVE-2019-19232-control-matching-of-unknown-IDs.patch`
			`Patch6003: Fix-CVE-2019-19234-add-runas_check_shell-flag.patch`
Package init 2019-12-25 16:08:18 +08:00
Package init 2019-09-30 11:17:51 -04:00			`Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)`
			`Requires: pam`
			`Recommends: vim-minimal`
			`Requires(post): coreutils`

			`BuildRequires: pam-devel groff openldap-devel flex bison automake autoconf libtool`
			`BuildRequires: audit-libs-devel libcap-devel libselinux-devel sendmail gettext zlib-devel`
			`BuildRequires: chrpath git`

			`%description`
			`Sudo is a program designed to allow a sysadmin to give limited root privileges`
			`to users and log root activity. The basic philosophy is to give as few`
			`privileges as possible but still allow people to get their work done.`

			`%package devel`
			`Summary: Development files for %{name}`
			`Requires: %{name} = %{version}-%{release}`

			`%description devel`
			`The %{name}-devel package contains header files developing sudo`
			`plugins that use %{name}.`

			`%package_help`

			`%prep`
			`%autosetup -n %{name}-%{version} -S git`

			`%build`
			`autoreconf -I m4 -fv --install`
			`export CFLAGS="$RPM_OPT_FLAGS -fpie" LDFLAGS="-pie -Wl,-z,relro -Wl,-z,now"`
			`%configure \`
			`--prefix=%{_prefix} \`
			`--sbindir=%{_sbindir} \`
			`--libdir=%{_libdir} \`
			`--docdir=%{_pkgdocdir} \`
			`--disable-root-mailer \`
			`--with-logging=syslog \`
			`--with-logfac=authpriv \`
			`--with-pam \`
			`--with-pam-login \`
			`--with-editor=/bin/vi \`
			`--with-env-editor \`
			`--with-ignore-dot \`
			`--with-tty-tickets \`
			`--with-ldap \`
			`--with-selinux \`
			`--with-passprompt="[sudo] password for %p: " \`
			`--with-linux-audit \`
			`--with-sssd`

			`%make_build`

			`%check`
			`make check`

			`%install`
			`rm -rf $RPM_BUILD_ROOT`
			%make_install install_uid=`id -u` install_gid=`id -g` sudoers_uid=`id -u` sudoers_gid=`id -g`

			`chmod 755 $RPM_BUILD_ROOT%{_bindir}/* $RPM_BUILD_ROOT%{_sbindir}/*`
			`install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo`
			`install -p -d -m 700 $RPM_BUILD_ROOT/var/db/sudo/lectured`
			`install -p -d -m 750 $RPM_BUILD_ROOT/etc/sudoers.d`
			`install -p -c -m 0440 %{SOURCE1} $RPM_BUILD_ROOT/etc/sudoers`
			`install -p -d -m 755 $RPM_BUILD_ROOT/etc/dnf/protected.d/`

			`touch sudo.conf`
			`echo sudo > sudo.conf`
			`install -p -c -m 0644 sudo.conf $RPM_BUILD_ROOT/etc/dnf/protected.d/`
			`rm -f sudo.conf`

			`chmod +x $RPM_BUILD_ROOT%{_libexecdir}/sudo/*.so`

			`rm -rf $RPM_BUILD_ROOT%{_pkgdocdir}/LICENSE`
			`rm -rf $RPM_BUILD_ROOT%{_datadir}/examples/sudo`

			`%delete_la`

			`rm -f $RPM_BUILD_ROOT%{_sysconfdir}/sudoers.dist`

			`%chrpath_delete`
			`mkdir -p $RPM_BUILD_ROOT/etc/ld.so.conf.d`
			`echo "/usr/libexec/sudo" > $RPM_BUILD_ROOT/etc/ld.so.conf.d/%{name}-%{_arch}.conf`

			`%find_lang sudo`
			`%find_lang sudoers`

			`mkdir -p $RPM_BUILD_ROOT/etc/pam.d`
			`install -p -c -m 0644 %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/sudo`
			`install -p -c -m 0644 %{SOURCE3} $RPM_BUILD_ROOT/etc/pam.d/sudo-i`

			`%post`
			`/bin/chmod 0440 /etc/sudoers \|\| :`
			`/sbin/ldconfig \|\| :`

			`%postun -p /sbin/ldconfig`

			`%files -f sudo.lang -f sudoers.lang`
			`%attr(0440,root,root) %config(noreplace) /etc/sudoers`
			`%attr(0750,root,root) %dir /etc/sudoers.d/`
			`%attr(0644,root,root) %{_tmpfilesdir}/sudo.conf`
			`%attr(0644,root,root) /etc/dnf/protected.d/sudo.conf`
			`%attr(4111,root,root) %{_bindir}/sudo`
			`%attr(0111,root,root) %{_bindir}/sudoreplay`
			`%{_bindir}/sudoedit`
			`%{_bindir}/cvtsudoers`
			`%attr(0755,root,root) %{_sbindir}/visudo`
			`%attr(0755,root,root) %{_libexecdir}/sudo/sesh`
			`%attr(0644,root,root) %{_libexecdir}/sudo/sudo_noexec.so`
			`%attr(0644,root,root) %{_libexecdir}/sudo/sudoers.so`
			`%attr(0644,root,root) %{_libexecdir}/sudo/group_file.so`
			`%attr(0644,root,root) %{_libexecdir}/sudo/system_group.so`
			`%attr(0644,root,root) %{_libexecdir}/sudo/libsudo_util.so*`
			`%dir /var/db/sudo`
			`%dir /var/db/sudo/lectured`
			`%dir %{_libexecdir}/sudo`
			`%config(noreplace) /etc/pam.d/sudo`
			`%config(noreplace) /etc/pam.d/sudo-i`
			`%config(noreplace) /etc/ld.so.conf.d/*`
			`%license doc/LICENSE`

			`%files devel`
			`%{_includedir}/sudo_plugin.h`

			`%files help`
			`%dir %{_pkgdocdir}/`
			`%{_mandir}/man5/*`
			`%{_mandir}/man8/*`
			`%{_mandir}/man1/*`
			`%{_pkgdocdir}/*`
			`%doc plugins/sample/sample_plugin.c`
			`%exclude %{_pkgdocdir}/ChangeLog`

			`%changelog`
change release num 2020-05-07 15:14:07 +08:00			`* Fri Apr 17 2020 Anakin Zhang <nbztx@126.com> - 1.8.27-5`
Read drop-in files from /etc/sudoers.d 2020-04-17 10:34:03 +08:00			`- Read drop-in files from /etc/sudoers.d`

fix CVE-2019-19232 and CVE-2019-19234 2020-01-20 16:22:06 +08:00			`* Mon Jan 20 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-4`
			`- fix CVE-2019-19232 and CVE-2019-19234`

sudo: clean code 2020-01-11 10:43:18 +08:00			`* Sat Jan 11 2020 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-3`
			`- clean code`

Package init 2019-12-25 16:08:18 +08:00			`* Mon Dec 16 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-2`
			`- Fix CVE-2019-14287`

Package init 2019-09-30 11:17:51 -04:00			`* Tue Aug 27 2019 openEuler Buildteam <buildteam@openeuler.org> - 1.8.27-1`
			`- Package init`